Datak atakey ey CIP User ser ’s Gui Guide de
Version 4.7
Datakey Inc is now SafeNet SafeNet Inc. In Q4 2004 Datakey Inc. was acquired by SafeNet Inc. In connection with this acquisition all copyright and trademark information in this guide has been updated to reflect the SafeNet name. Contact information has also been changed where appropriate. For this release the name Datakey CIP is still being used as the product name.
ii
Datakey CIP User’s User’s Guide
Copyright notice Copyright © 2002 - 2005 SafeNet Inc. All rights reserved. No part of this document may be reproduced or retransmitted in any form o orr by any means electronic, mechanical, or otherwise, including photocopying and recording for any purpose other than the purchaser’s personal use without written permission of SafeNet, Inc.
Trademarks SafeNet and Datakey are registered trademarks of SafeNet, Inc. Datakey CIP is a trademark of SafeNet, Inc. Microsoft is a registered trademark of Microsoft C Corpoorporation. Windows and Windows NT are registered trademarks of Microsoft Corporation. Netscape, Netscape Communications, and Netscape product names are trademarks of Netscape Communications Corporation. Corporation. All other brand names and product names used in this manual are trademarks, registered trademarks, or trade names of their respective holders.
Print history
Date
Software Release
Description
June, 2002
Datakey CIP
Initial release of the Datakey CIP
Version 4.7
User’s Guide in updated format
March 2003
Datakey CIP Version 4.7
Updated for Maintenance Update 9
October 2003
Datakey CIP Version 4.7
Updated for Maintenance Update 15, adding Citrix and CAC information
June 2004
Datakey CIP Version 4.7
Updated for Maintenance Update 19, including enhanced biometric support
August 2004
Datakey CIP Version 4.7
Updated for Maintenance Update 20, adding Terminal Server support
Datakey CIP User’s User’s Guide
iii
iv
Date
Software Release
Description
October 2004
Datakey CIP Version 4.7
Remove all references to the Configuration Wizard
March 2005
Datakey CIP Version 4.7
Updated for Maintenance Update 20.3, adding Passphrase Complexity support
Datakey CIP User’s User’s Guide
T
A B L E
Chapter 1
O F
C
Introduc tion
O N T E N T S
. . .. . .. . .. . .. . .. . .. . .. .. . .. . .. . .. . .. . .. . .. . . 1
What is a token? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Benefits of tokens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Features of Datakey tokens . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Tokens, email, and the Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 What is a digital ID? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Datakey CIP support of Common Access Card . . . . . . . . . . . . . . 5
Chapter 2
Gettin Ge ttin g Started Started
. . . .. . . .. . . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . . 7
System requirements requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Compatible smart cards and tokens . . . . . . . . . . . . . . . . . . . . . . . 8 Compatible readers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Installing Datakey CIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Checking for software updates . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Initializing the token . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Uninstalling Datakey CIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Removing, adding, or changing token readers . . . . . . . . . . . . . . 19 To add a token reader . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 To change token readers . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Using Datakey CIP with different applications . . . . . . . . . . . . . . 19 Online help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Additional support support information . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Registration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Logging on to your smart card . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Standard passphrase logon . . . . . . . . . . . . . . . . . . . . . . . . . 21 Secure PIN Pad reader logon . . . . . . . . . . . . . . . . . . . . . . . 22 Biometric reader logon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Windows PKI-Based Smart Card Logon . . . . . . . . . . . . . . . 23 Non-PKI smart card logon . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Datakey CIP User’s User’s Guide
v
Passphrase Complexity Rules . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Non-conforming Non-conformin g passphrases . . . . . . . . . . . . . . . . . . . . . . . 26 How it works with other versions of SafeNet CIP . . . . . . . . . 26 PIN Pad readers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Chapter 3
Datakey Data key CIP ISign ISign
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 27
Datakey CIP ISign . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Identrus token . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 RSA key pairs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Identity key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Initial Identity PIN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Identity PIN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Utility key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Utility PIN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Unblocking PINs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Signing Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 Datakey ISign - Identrus Signing Interface . . . . . . . . . . . . . . 30
Chapter 4
Datakey Data key CIP Thin Thin
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Citrix features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Citrix architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Installing Datakey CIP Thin on a MetaFrame server . . . . . . . . . 35 Installing Datakey CIP on a client workstation . . . . . . . . . . . . . . 36 Using Datakey CIP Thin from the client . . . . . . . . . . . . . . . . . . . 36 Token logon using a Microsoft certificate . . . . . . . . . . . . . . . . . . 37 NFuse/Web Interface support . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Two ways to authenticate, two places to authenticate . . . . . 37 Configuring NFuse/Web Interface for token/certificate-based token/certificate-base d authentication . . . . . . . . . . . 38 Configuring Microsoft IIS . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 A Note on Citrix Secure Secure Gateway and NFuse/Web NFuse/Web Interface . 40 Publishing PKI applications when Datakey CIP Thin is installed . . 41 Microsoft Terminal Server features . . . . . . . . . . . . . . . . . . . . . . 42 Terminal Server architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Installing Datakey CIP Thin on a Terminal Server . . . . . . . . . . . 43 Installing Datakey CIP on a Windows client workstation . . . . . . 44 Using Datakey CIP Thin from a Windows client
vi
Datakey CIP User’s User’s Guide
. . . . . . . . . . . . . 44
Fat client capabilities with remote Windows XP machines . . . . . 45 Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Capabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Troubleshooting Troubleshoo ting Citrix and Terminal Server issues . . . . . . . . . . 46
Chapter 5
Using the CIP Utilities
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Starting CIP Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Starting CIP Utilities using the Windows Start button . . . . . 47 Starting CIP Utilities using SmartMonitor . . . . . . . . . . . . . . . 47 The CIP Utilities window—Some basics . . . . . . . . . . . . . . . . . . . 48 Copying and clearing text in the right pane . . . . . . . . . . . . . 49 Changing the background color in the right pane . . . . . . . . 50 Changing the font settings . . . . . . . . . . . . . . . . . . . . . . . . . . 51 Toolbar buttons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 Modifying and updating display. . . .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. 53 52 Configuring CIP Utilities the options Configuring CIP DKLogger settings . . . . . . . . . . . . . . . . . . . 54 Configuring CIP Log settings . . . . . . . . . . . . . . . . . . . . . . . . 54 Enabling/disabling Enabling/disabl ing the Token Server . . . . . . . . . . . . . . . . . . 54 Enabling/disabling Enabling/disab ling 10SR readers . . . . . . . . . . . . . . . . . . . . . 55 Configuring the Auto Cert Register Utility . . . . . . . . . . . . . . 55 Enabling/disabling Enabling/disab ling the CIP Utilities log . . . . . . . . . . . . . . . . . 55 Configuring the object name display . . . . . . . . . . . . . . . . . . 55 Launching the Quality Agent . . . . . . . . . . . . . . . . . . . . . . . . 56 Specifying CIP Utilities program options . . . . . . . . . . . . . . . 56 Token reader tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 Logging on/off a token . . . . . . . . .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. 58 Changing the token passphrase 59 Changing the token label . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 Changing the Inactivity Timer . . . . . . . . . . . . . . . . . . . . . . . . 60 Initializing a token . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 Testing a token . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 Importing a PKCS#12 file . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 Displaying library version information . . . . . . . . . . . . . . . . . 64 Importing a certificate from the Windows certificate store . . . . 65 Displaying Common Access Card (CAC) data . . . . . . . . . . . 65 Certificate tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 Deleting a certificate from a token . . . . . . . . . . . . . . . . . . . . 66 Moving a certificate to/from Windows
Datakey CIP User’s User’s Guide
. . . . . . . . . . . . . . . . . 66
vii
Exporting a certificate to a file . . . . . . . . . . . . . . . . . . . . . . . 67 Set a certificate as the default container . . . . . . . . . . . . . . . 67 Editing certificate attributes . . . . . . . . . . . . . . . . . . . . . . . . . 68 Updating a token . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 Public key and private key tasks . . . . . . . . . . . . . . . . . . . . . . . . 69 Deleting a key from a token . . . . . . . . . . . . . . . . . . . . . . . . . 69 Exporting key information to a file . . . . . . . . . . . . . . . . . . . . 69 Set a key as the default container . . . . . . . . . . . . . . . . . . . . 70 Editing public/private key attributes . . . . . . . . . . . . . . . . . . . 70 Updating a key on a token . . . . . . . . . . . . . . . . . . . . . . . . . . 71 Data object tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 Deleting a data object from a token . . . . . . . . . . . . . . . . . . . 72 Export data object information to a file . . . . . . . . . . . . . . . . . 72 Help menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 Troubleshooting Troubleshoo ting using CIP Utilities . . . . . . . . . . . . . . . . . . . . . . . 73 Common problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 Possible solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 Exiting CIP Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Chapter 6
Unblocking a Token Token
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 75
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 Unblocking a Datakey 330u token . . . . . . . . . . . . . . . . . . . . . . . 75 Unblocking a token from within CIP Utilities . . . . . . . . . . . . . 75 Unblocking a token using CIP Desktop . . . . . . . . . . . . . . . . 76 Unblocking an Identrus Token . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Chapter 7
Using Biometric Biometric Smart Smart Cards Cards and Card Card Rea Readers ders
. . . . . . . . . . . . 79 79
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 Enrollment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 Initializing the Datakey smart card . . . . . . . . . . . . . . . . . . . . 80 Enrolling your fingerprint . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 Troubleshooting Troubleshootin g enrollment errors . . . . . . . . . . . . . . . . . . . . 86 Login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 Logging on using one fingerprint . . . . . . . . . . . . . . . . . . . . . 88 Logging on with multiple fingerprints . . . . . . . . . . . . . . . . . . 89 Completing the login process . . . . . . . . . . . . . . . . . . . . . . . . 90 Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
viii
Datakey CIP User’s User’s Guide
Chapter 8
Datake Da takey y CIP Desktop Desktop
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 93
SmartMonitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 SmartLogon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 SmartNotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 Passphrase Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 Auto Cert Registration Registration Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 CIP Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
A p p en d i x A
Modifying PIN PIN Timeout Timeout and Single Sign-On Sign-On V Value alues s
. . . . . . . . . . . 97
PIN timeouts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 Default PIN timeout values . . . . . . . . . . . . . . . . . . . . . . . . . . 97 Creating the DWORD values . . . . . . . . . . . . . . . . . . . . . . . . 98 Modifying the PIN timeout policy . . . . . . . . . . . . . . . . . . . . . 98 AccessPolicy DWORD DWORD . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 ResetPolicy DWORD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 TimePeriod DWORD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102 Single Sign-On (SSO) Configuring SSO . .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. 102 102 Trusted Application Policy . . . . . . . . . . . . . . . . . . . . . . . . . 103
A p p en d i x B
Common Access Card Differences Differences
. . . . . . . . . . . . . . . . . . . . . . . 105 105
What is a CAC? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 Benefits of CACs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 Functional differences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
A p p en d i x C
CAPI and PKCS# PKCS#1 11 Functi Functi ons CAPI functions
. . . . . . . . . . . . . . . . . . . . . . . . . . . 109 109
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
PKCS#11 functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 . . . . . . . . . . . . . . . 111 PKCS#11 Version 1 – DKCK132.DLL PKCS#11 Version 2.0 – DKCK232.DLL . . . . . . . . . . . . . . . 114 PKCS#11 Version 2.01 – DKCK201.DLL . . . . . . . . . . . . . . 117
Index
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Datakey CIP User’s User’s Guide
ix
x
Datakey CIP User’s User’s Guide
Chapter 1
Introduction
Datakey Cryptographic Interface Provider (Datakey CIP) is a package of software and hardware components designed to enhance the security of Internet applications that support PKCS #11 (versions 1.0 and 2.01) or Microsoft Cryptographic Application Programming Interface (CAPI—version 2.0) standard cryptography. The Datakey CIP user stores public and private keys on a personal token. The token is read by the system, when necessary, to work with encrypted documents or digital signatures. The Datakey CIP interface software is recognized and validated by all PKCS #11 or Microsoft CAPI-enabled security applications, which safeguards the user from any attempt to compromise the key access software. Popular applications that support this standard s tandard include Microsoft Outlook, Microsoft Internet Explorer, Netscape Communicator, the Entrust PKI, Checkpoint VPN-1 Key Management System, Sy stem, Betrusted UniCERT, UniCERT, and many other compatible applications. Keys and certificates contained in Datakey smart cards may be shared by Microsoft Internet Explorer, Netscape Communicator, Communicator, and a host of other app applilications that use these powerful Internet client products. You may choose from two token formats: smart cards, which are credit-card sized cards, or USB tokens, which fit on a key-ring. The complete Datakey CIP package includes a token reader with the selected format (card or key), a blank token, and the required interface software. Token readers attach to the computer a number of ways: via an available serial port; or, when using a portable laptop computer, the token reader can be a PCMCIA device that is inserted in an available PCMCIA slot.
Datakey CIP User’s User’s Guide
1
What is a token?
The contents of the Datakey CIP basic package includes:
Interface Software (CD-ROM)
User’s Guide (this document)
Quick Start Guide
One of the following types of tokens:
Smart card (Model 330)
USB token (iKey 2032)
Smart card (Model 320)
One of the following types of readers:
Serial Port Smart Card Reader (DKR 810, DKR 711, DKR 610/611)
PCMCIA-compatible Card Reader (DKR 800, DKR 700/701, DKR 600)
USB Port Smart Key Reader (DKR 830, DKR 730/731, DKR 630/631)
PIN Pad Card Reader (Vasco (Vasco Digipass DESK 850)
Biometric Card Reader (Precise Biometrics 100SC or 100MC )
What is a token? A token is a tool that is ideally suited for use with applications that require the secure storage of digital IDs and credentials. The tokens act as secure “digital carcarriers”—vehicles capable of storing one or more digital representations of a particular person. Datakey offers two main token formats: Smart cards, which are credit card-sized cards
USB tokens, which are small, lightweight li ghtweight devices that fit on a key-ring
2
Datakey CIP User’s User’s Guide
What is a token?
Benefits of tokens Tokens provide a number of benefits:
Security: Your Your private information never leaves the token, and is protected by two-factor security—something that is owned (the token) and something that is known (the token passphrase).
Portability: Your Your digital credentials can go wherever you go. Flexibility: A token can be used to store a variety of information, including certificates, public keys, private key, user names and passwords, etc. Simplicity: Your many passwords can be stored on a single token. In addition, you are less likely to lose a token than forget a password. Ease of use: A token is simply inserted into a token reader to activate an application; no complex codes need be read or entered. Further, one token can be used for several applications.
Features of Datakey tokens Some of the primary features of the Datakey Dat akey tokens include:
Built-in crypto/security application (ROM-based)
Cryptographic functions
Certificate storage and handling
Support for multiple keys and certificates (up to EEPROM limits)
High performance crypto functions
GSA card edge interface
FIPS 140-2 Level 2 validated.
Supports PKCS #11 and Microsoft CryptoAPI interface requirements, enabling use of the same smart card to secure email and to act as an authentication token.
32K EEPROM for secure storage of keys, passwords, certificates, application programs, and data. Each smart card can hold anywhere from 15-30 15-30 certificates, depending on the size of the digital digi tal profile.
On-card key generation—This means the critical private key never leaves the card and can't be stolen over the network or from a user's PC.
Supports multiple encryption algorithms including RSA, DES, and Triple DES.
Supports Secure Hash Algorithm (SHA-1) & Dig. Signature Algorithm (DSA).
Hardware/software protection against differential power attacks and timing attacks.
Datakey CIP User’s User’s Guide
3
Tokens, email, and the Web
Tokens, email, and the Web Using your token enables you to send and receive secure e-mail and to interact securely on the Internet. Your token provides protection against many undesirable actions, such as data disclosure to unauthorized recipients, unauthorized content changes, message spoofing, and message repudiation. This protection is the result of using encryption and a digital signature. Encryption scrambles data so that only the intended recipients (who have the correct “key”) may view it. A digital signature is an electronic mark attached to a message that creates a strong binding between the signer and the contents of the document. No unauthorized changes to a message can be made. A digital signature proves who the author of the message was—the author can’t deny sending the message.
What is a digital ID? A digital ID is a set of electronic credentials that uniquely identify an individual. There are two parts to a digital ID: a private key and a certificate. Your private key is the piece of information i nformation unique to you within the Public Key Infrastructure (PKI). Anyone who has access to your private key can impersonate you without detection. An impersonator can read messages meant for your eyes only,, or sign documents as you. Therefore, it is important to keep your only your private key secure—this is the main benefit of a token. It serves as an impenetrable safe for your private key, ensuring that only you have access to it. Your certificate is the public part of your digital ID. It contains your name and other identifying information. It also contains your public key, which is mathematically related to your private key. Using your certificate, other people can verify that you hold your private key, and therefore, must really be who you say you are. Digital IDs are created in a three-step process: 1.
You generate a public and private key pair. This is done directly on your token. The private key is permanently stored on your token; it never leaves. The public key is sent to a trusted third party, called a Certificate Authority (CA).
4
Datakey CIP User’s User’s Guide
Datakey CIP support of Common Access Card
2.
The CA verifies the public key really belongs to you. If the verification succeeds, it creates a certificate for you and sends instructions on how to obtain the certificate.
3.
You then download the certificate, completing the digital ID.
While this sounds like a complicated process, in practice, it is really very simple. Most of the details are handled for you behind the scenes in software.
Datakey CIP support of Common Access Card Card The U.S. Department of Defense (DoD) has adopted a smart card called the Common Access Card (CAC) for securing access to network resources and for assured, private electronic communications by its users. Datakey CIP is fully compliant with the DoD CAC requirements and specifications and will support CAC cards as well as DatakeyCommon model 330 cardsCard in a mixed environment. For more specific i nformation information regarding Access support refer to Appendix B on page on page 105. 105 .
Datakey CIP User’s User’s Guide
5
Datakey CIP support of Common Access Card
6
Datakey CIP User’s User’s Guide
Chapter 2
Getti tt ing Start tarte ed
This chapter provides the t he information you need to t o start using Datakey D atakey CIP. CIP.
System requirements The computer on which you install Datakey Datak ey CIP software must be running one of the following Microsoft operating systems:
Windows 98
Windows 2000 Professional or Windows Server 2000
Windows 2003 Server
Windows XP Professional
Microsoft Windows NT 4.0 Client, Service Pack 4 or higher
In addition, your computer must meet the following minimum hardware requirements:
A Pentium or later processor
A minimum of 8 Mbytes of RAM, but 16 Mbytes is recommended. One of the following:
An available serial port is is you are using a token reader
An available PCMCIA slot if if you are using a laptop computer
An available USB port if if you are using a USB token
Datakey CIP User’s User’s Guide
7
Compatible smart smart cards and tokens
Compatible smart cards and tokens Datakey CIP supports the following smart cards and tokens:
Model 320 smart card
Model 330, Model 330i, Model 330u, Model 330g, & Model 330m smart cards
Model 330j Java card
Rainbow iKey 2032 USB token
Compatible readers Datakey CIP software is compatible with the following readers:
Datakey Serial Port Smart Card Reader DKR 810 (PC/SC) [SCM SCR 131]
DKR 711 (PC/SC) [OMNIKEY CardMan 2011] DKR 610 (PC/SC) [Gemplus GemPC410]
DKR 611 (PC/SC) [Gemplus GemPC Serial]
10SR
Datakey PCMCIA Smart Card Reader
DKR 800 (PC/SC) [SCM SCR 241]
DKR 700 (PC/SC) [OMNIKEY CardMan 4000]
DKR 701 (PC/SC) [OMNIKEY CardMan 4040]
DKR 600 (PC/SC) [Gemplus GemPC400]
Datakey USB Port Smart Key Reader DKR 830 (PC/SC) [SCM SCR 331]
DKR 730 (PC/SC) [OMNIKEY CardMan 2020]
DKR 731 (PC/SC) [OMNIKEY CardMan 3121]
DKR 630 (PC/SC) [Gemplus GemPC430]
DKR 631 (PC/SC) [Gemplus GemPC USB]
PIN Pad Card Readers
Biometric Card Readers (Requires a Datakey 330m or 330m or 330g3 330g3 smart smart card)
8
Vasco Digipass DESK 850 Precise Biometrics 100SC Precise Biometrics 100MC (USB only)
Datakey CIP User’s User’s Guide
Installing Data Datakey key CIP
resource manager as an alternative smart smart card card Note: Datakey CIP uses the PC/SC resource reader source source when used with the model 330 smart card. Please refer to the readme.txt file on the installation CD or contact Datakey Support for a list of qualified readers. readers.
Installing Datakey Datakey CIP To install Datakey CIP: install their client software befor beforee installing Note: Entrust and Citrix users must install Datakey CIP. CIP. 1.
Close all programs and applications.
2.
Remove all previously installed inst alled versions of Datakey Da takey CIP. CIP. Uninstall instructions are provided on page on page 18 18..
3.
Insert the Datakey CIP CD-ROM. It should automatically start the installation program. If it does not, navigate to the CD and double-click the file named setup.exe. The Welcome window is displayed.
Datakey CIP User’s User’s Guide
9
Installing Data Datakey key CIP
4.
Click Next .
5.
Read the license information, then click Yes. The Serial Number window window is displayed.
6.
Type your serial number, then click Next . Your serial number is located on a label affixed to the back of the Datakey CIP CD jewel case. The Choose Destination Location window is displayed.
10
Datakey CIP User’s User’s Guide
Installing Data Datakey key CIP
7.
Follow the instructions for choosing the folder in which to install Datakey CIP, then click Next . The CIP Install window is displayed.
8.
Select the CIP options you would like to install, then click Next . A description of each is displayed dis played when you select the option. If you are unsure which options to select, just take the default options. t he Windows operating Note: The CIP Options dialog that you see depends on the system you are using and whether you are installing standard Datakey CIP,, Datakey CIP ISign, or Datakey CIP Thin. CIP
Windows 2000 and Windows XP users: users: If you are installing on Windows 2000 or Windows XP and want to activate secure Windows logon, be sure to enable the Wind Windows ows 2000/XP Logon option. Non-PKI users: users: If you want users to be able to enroll their non-PKI credentials on their tokens during Windows logon, be sure to enable the Windows Windo ws 2000/XP GINA option. See See page page 24 24 for for more information. Entrust users: users: If you want to use tokens in your Entrust environment, be sure to enable the Entrust Application Support option. option. In addition, if you are using a biometric (fingerprint) or a PIN pad card reader with your ssmart mart card, be sure to also enable the Datakey Identity Device option. Passphrase Complexity Rules users: users: This option requires the Windows 2000/XP GINA option to also be enabled. See page See page 25 25 for for information about the passphrase complexity rules.
Datakey CIP User’s User’s Guide
11
Installing Data Datakey key CIP
The CIP Desktop Install window is displayed.
9.
Select the CIP Desktop features you wish to install, then click Next . A description of each feature is displayed when you select the option. The SmartLogon and SmartNotes CIP Desktop features are available for selection only if you have purchased the CIP Desktop option. The Reader Install window is displayed.
12
Datakey CIP User’s User’s Guide
Installing Data Datakey key CIP
10.
Select the reader(s) you will be using with CIP, then click Next to to continue. If you are using a reader that is not listed, l isted, uncheck all reader options and use the reader installation that came with your y our reader to install and configure it after CIP is installed. are using Windows Windows 98, only one PC/S PC/SC C reader reader can be installed on Note: If you are the PC. If you are using Windows 2000 or Windows XP, the operating system will support more than one PC/SC reader reader,, but only one can be installed at a time. If you are using Window Window NT 4.0, you may install more than one PC/SC reader but problems may occur.
The Start Copying Files window is displayed.
11.
Click Next to to begin copying files to your computer computer.. The installation program will begin copying files to your computer. Follow any special instructions that may appear. When the installation process is complete the following window is displayed:
Datakey CIP User’s User’s Guide
13
Checking for software update updates s
12.
Attach your token reader to your computer.
13.
Select the appropriate restart option, then click Finish. You must restart your computer before using Datakey CIP. CIP. Follow any subsequent prompts that may appear (for example, registering Datakey CIP with Netscape) to complete the installation process.
Checking for software updates You should periodically check for updates to your C CIP IP software. Datakey provides a simple and easy method for checking for updates. 1.
Verify that you have an active Internet cconnection. onnection.
2.
Choose Start -> Programs Programs -> Datakey CIP -> Check For Updates to Datakey CIP. The CIP AutoUpdate screen appears:
14
Datakey CIP User’s User’s Guide
Checking for software update updates s
3.
Click Check for Update. A connection is made to the Datakey Web site and a search is made for updates that apply to your version of Datakey CIP CIP..
If a new update is available the View Readme and the Update and Install buttons are activated. 4.
To read information about the available update, click cli ck View Readme.
5.
To download and install inst all the update, click cli ck Update and Install. The update is downloaded from from the Datakey Web Web site. This may take a few minutes depending on the size of the update and an d on the speed of your Internet
Datakey CIP User’s User’s Guide
15
Checking for software update updates s
connection. When the update file has finished downloading to your your computer a dialog box similar to the following appears:
6.
Click Next . A dialog box similar to the following appears while the update is installed:
When the installation is complete a dialog box similar to the following appears:
16
Datakey CIP User’s User’s Guide
Initializing Initializ ing the token
7.
Finish. Select the appropriate restart option and then click Finish
IMPORTANT! IMPORT ANT! You must restart your computer before the update will take effect.
Initializing the the token After Datakey CIP has been installed, your token may need to be initialized using the CIP Utilities. If you received your card directly from Datakey you will need to initialize it. If you received your card from your administrator, please consult him or her to verify that this step is necessary. See “Initializin “Initializing g a token” on page 61 61 for for information on initializing a token.
Datakey CIP User’s User’s Guide
17
Uninstalli ng Datakey CI CIP P
Uninstalling Uninstallin g Datakey CIP If it becomes necessary to uninstall Datakey CIP, perform the following steps: followin g procedure does not remove any token reader reader software. Your Note: The following reader software must be uninstalled separately using a similar procedure. procedure.
18
1.
From Start menu, menu, select Settings -> Control Panel.
2.
Programs icon. The Add/Remove Programs Programs Double-click the Add/Remove Programs Properties dialog is displayed.
3.
Select Datakey CIP.
4.
Click Change/Remove and follow the online instructions.
5.
Restart the computer.
Datakey CIP User’s User’s Guide
Re Removing, moving, adding, or changing t oken reade readers rs
Removing, adding, adding, or changing token token readers readers If you want to remove (uninstall) token readers, perform the following steps: 1. 2.
Detach (remove) the reader. Access the computer configuration by choosing Start -> Settings -> Control Panel -> System -> Device Manager .
3.
Choose the reader to be removed and click Remove or Uninstall.
To add a token reader Re-install Datakey CIP to select the new reader from the reader selection window. Do not install the reader until the CIP re-installation is completed.
To change token readers Remove the current reader and add the new token reader (see above).
Using Datakey CIP with different applications Datakey CIP operates with several different applications. Datakey provides information about using Datakey CIP with each application in separate Integration and Configuration Guides.
If you are using Entrust 3.0 or later version, versi on, see the Datakey CIP/Entrust Integration and Configuration Guide, available on the th e Datakey Web site. If you plan to use Entrust but have not already installed it, you will need to re-install Datakey CIP after installing Entrust.
If you are using Microsoft Internet Explorer, Outlook (or Outlook Express) '98, or Outlook 2000 with Datakey CIP CIP,, first personalize your token using the CIP Utilities (see Chapter 5). Then see the Datakey CIP/Microsoft Integration Integration and Configuration Guide. If you are using Netscape Communicator with Datakey CIP CIP,, first personalize your token using the CIP Utilities (see Chapter 5). Then see the Datakey CIP/ Netscape Integration and Configuration Configuration Guide. If you are using Check Point software, see the Datakey CIP/Check Point Integration and Configuration Guide.
Datakey CIP User’s User’s Guide
19
Online help
Online help An online help system is built into Datakey CIP Utilities and can be accessed by Topics at the CIP Utilities main menu. selecting Help -> Help Topics
Additional support support information information Additional support is available from:
Customer Service Engineers: SafeNet offers personal help, if necessary. There is no charge for help requests by fax, mail, or e-mail e-mai l (
[email protected]). Telephone Support: Telephone support is available from S SafeNet, afeNet, Inc. Call Technical Support between 8:00 a.m. and 4:30 p.m. CST: (1-888-328-25 (1-888-328-2539). 39). After the warranty period, there is a fee per call without a maintenance contract.
Registration Registratio n If you did not complete the online registration, fill out the warranty/registration card and mail or fax it to: Mail: SafeNet, Inc. 2051 Killebrew Drive
Fax: (952) 890-2726
Suite #620 Bloomington, MN 55425 Online:: http://www.datakey.com/products/registration Online http://www.datakey.com/products/registration
20
Datakey CIP User’s User’s Guide
Logging on to yo ur smart ca card rd
Logging on to your your smart car card d Overview Smart card logons are controlled in a standard Windows environment by the Microsoft GINA (Graphical Interface and Authentication). The standard Microsoft GINA is a replaceable DLL component loaded and run by Winlogon. Winlogon. Datakey sup plements the standard Microsoft GINA by adding adding Datakey-specific GINA capabilities to Datakey’s smart card software. A Datakey module, DKGINASR, is used for Windows smart card logon and adds the following features to the standard Microsoft GINA:
Allows secure smart card logon with PIN pad readers
Allows smart card logon using biometric card readers
Allows for Windows PKI-based smart card logon
Allows for Windows non-PKI smart card logon
Datakey CIP provides the appropriate logon prompts as needed.
Standard passphrase logon If you are using a standard smart card and reader, you will see the following dialog box during smart card logon:
To log on to the smart card: 1.
Type your passphrase.
2.
Click OK .
Datakey CIP User’s User’s Guide
21
Logging on to you r smart ca card rd
Secure PIN Pad reader logon Note: PIN pad readers are supported with Windows 2000 and Windows XP. If you are using a secure PIN Pad smart card reader, you will see the following dialog box during smart card logon:
Enter your PIN on the secure PIN P IN Pad smart card reader, then press OK . Due to the nature of secure PIN pad readers, this dialog box contains no Cancel or Shutdown buttons. Everything is controlled directly through the PIN pad reader. reader. This provides additional protection for your PIN because the smart card is unlocked without the PIN traversing any of your computer’s computer ’s components (keyboard, memory, memory, etc.).
Biometric reader logon If you are using a biometric smart card reader along with a Datakey ssmart mart card that has your fingerprint enrolled on it, you will see a dialog box similar to one of the following during smart card logon:
- OR -
Log on using your fingerprint as described in “Using Biometric Smart Cards and Card Readers” Readers” on on page 79 79..
22
Datakey CIP User’s User’s Guide
Logging on to yo ur smart ca card rd
Windows PKI-Based Smart Card Logon Windows 2000 and Windows Windows XP XP.. Note: This feature is supported with Windows
A PKI (public key infrastructure) provides security to otherwise unsecure public networks. It enables you to conduct conduct secure and private private transactions through the use use of a several key components, including a Certificate Authority (CA), a public and private cryptographic key pair, and and a certificate management system. The standard Microsoft Windows PKI-based smart card logon is supported trans parently by Datakey CIP. CIP. The smart card must contain a private/public key pair, and a matching certificate must also be on the smart card. To log on to a Windows PKI system using your smart card, insert your smart card into the card reader and follow the on-screen instructions.
Non-PKI smart card logon card logon is supported with Windows Windows 2000, Windows Windows NT NT,, Note: Non-PKI smart card and Windows XP.
Non-PKI Windows smart card logon is also supported by Datakey CIP. CIP. It is designed to let you log on to your computer with your smart card without using a certificate that has been issued by a Certificate Authority. You can use smart card logon without the overhead required by a PKI infrastructure. Instead of using a certificate and server, s erver, your logon credentials are stored on the smart card. Your credentials consist of your user name, domain name, and password. Your credentials are stored privately and encrypted on the smart card, and can only be retrieved after you have logged on to the smart card itself. After enrolling your credentials, you can log on to your computer by simply logging on to your smart card; your credentials are read securely from your smart card.
Datakey CIP User’s User’s Guide
23
Logging on to you r smart ca card rd
Enrolling your non-PKI credentials. To enroll your Windows logon credentials onto your smart card: 1.
Begin with a prepared smart card.
Make sure the smart card is initialized and that you have properly set up the smart card's passphrase or fingerprint enrollment. 2. Log out of your computer so you get the standard Microsoft logon screen. You are prompted to either eit her insert your smart s mart card or press Ctrl-Alt-Delete. 3.
Insert your smart card. The standard Microsoft logon window appears.
4.
Enter your user name, domain name, and password to logon to Microsoft windows. If you log on to Windows successfully, and all three elements (user name, domain, password) were entered, the following dialog box appears:
5.
To add your credentials to your smart card, click OK.
6.
When prompted, log on to your smart card. Your credentials will be stored securely on the smart card.
Logging on. To log on to Windows using your smart card: 1.
Make sure you have a smart card with wit h your credentials enrolled as described above.
2.
Log out of your computer to get the standard Microsoft logon screen.
3.
Insert your smart card.
4.
Log on to your smart card. If successful, the credentials enrolled on the smart card will be used to log you onto Microsoft Windows.
24
Datakey CIP User’s User’s Guide
Passphrase Complexity Rules
Troubleshooting If you experience difficulty logging on to Windows using your smart card (for example, if your password or user name changes), you can still log on to Windows by pressing Ctrl-Alt-Delete. If, through user name changes or password changes, the credentials on your smart card become obsolete, you can use CIP utilities utiliti es to re initialize your smart card and re-enroll.
Passphrase Complexity Rules If the Passphrase Complexity Rules option is enabled during installation (see page 11 11), ), the following rules are enforced on smart card passphrases.
Passphrase expiration: expiration: The passphrase used to access a smart card will expire in no more than six months. Passphrase history: The history: The new passphrase cannot be the same as any of the previous five passphrases.
Passphrase length: The length: The passphrase must be a minimum of eight characters in length. Passphrase composition: The composition: The passphrase must be composed of characters from at least three of the following followi ng four groups from the standard keyboard:
Upper case letters (A-Z)
Lower case letters (a-z)
Arabic numerals (0 through 9) Nonalphanumeric characters (punctuation symbols)
Note: The default passphrase created when initializing a smart card is P PASSWORD ASSWORD , which does not conform to the composition rules. This passphrase, however, however, will expire after one week a and nd the composition rules will be enforced on subsequent passphrases.
Datakey CIP User’s User’s Guide
25
Passphrase Complexity Rules
Non-conforming Non-conformi ng passphrases If a user tries to create a new passphrase that does not conform to these rules, the following dialog is displayed:
How it works with other versions of SafeNet CIP
If a smart card is initialized initia lized on a SafeNet CIP 4.7 mu20.3 system tthat hat has the Passphrase Complexity Rules option enabled, the complexity rules will be enforced by all SafeNet CIP mu20.3 systems, even if those other systems do not have the option enabled. The complexity rules are not supported by SafeNet CIP 4.7 versions earlier than mu20.3. For example, if a smart card is initialized on a SafeNet CIP mu20.3 system that has the Passphrase Complexity Rules option enabled, but the smart card is subsequently initialized on a pre-SafeNet CIP 47 mu20.3 system, the complexity rules will NOT be enforced.
PIN Pad readers
The Passphrase Complexity Rules option is not supported on PIN Pad P ad readers.
26
Datakey CIP User’s User’s Guide
Chapter 3
Datakey Da takey CIP CIP ISi ISign
Datakey CIP ISign Overview Identrus is a PKI business-to-business e-commerce solution when business-tofinancial authentication is required to verify transactions. Financial institutions act as the trusted third parties enabling digital signatures to provide non-repudiation for transactions. The Identrus infrastructure enables trading partners, through their financial institutions, to conclusively identify one another over the Internet. The PKI functionality is supported throughout throughout the Identrus Infrastructure. The private keys required by the PKI infrastructure are stored on a token. When a user signs a document as part of a transaction, the Identrus signing interface (Datakey ISign) uses the token to create a signature. Datakey CIP ISign is installed by selecting the ISign option during installation of Datakey CIP, CIP, provided you have licensed Datakey CIP ISign. ISi gn.
Requirements
Microsoft Internet Explorer 5.5 or later
Microsoft Java Virtual Machine
Identrus token The Identrus token generally refers to a PKI smart s mart card. This token is initialized at an initialization station within withi n an Identrus infrastructure and contains the keys and PKI functions necessary for signing documents and transactions within that Identrus infrastructure. It is designated the Datakey Model 330i smart card.
Datakey CIP User’s User’s Guide
27
RSA key pairs
RSA key pairs Identrus tokens are required to have at least one RSA key pair, called the Identrus Identity key. The Identity key is only used to sign documents during Identrus transactions. The token can also have a second optional RSA key pair, called the Identrus Utility key. The Utility key is used for regular SSL and encryption.
Identity key The Identity key is used to generate signatures si gnatures in Identrus Identity applications. This is done through a signing interface using usi ng the on-token key key..
Initial Identity PIN After token personalization, but before the end-user has received the token, the Identity key is protected by the initial Identity PIN . The initial key PIN is normally sent to the end-user via a PIN mailer. Before signing a document with the identity key, you must unlock the key by assigning a PIN known only to you. Use the Passphrase Utility to assign a new PIN. The initial Identity PIN is entered as the current PIN.
Identity PIN The Identity PIN must be entered for every signature and must be at least six alphanumeric characters. Each time a document is to be signed you must enter the Identity PIN. If the PIN is entered incorrectly, the document will not be signed. If you enter the wrong PIN wrong several times in a row, the Identity key will be blocked and you will need a special PIN to use the Identity key again. The number of consecutive wrong PINs that will block the key is set by b y the administrator. An unblocking PIN (available from your administrator) will need to be used to unlock it.
28
Datakey CIP User’s User’s Guide
Utility key
Utility key The Utility key is used to establish SSL or TLS sessions, encrypt S/MIME messages, E-Mail, etc. The use of this key is optional and is at the discretion of the parties involved.
Utility PIN The Utility PIN must be entered before the Utility key can be used for any function. If the PIN is entered incorrectly, the function requesting the Utility key will be denied access to the key.
Unblocking PINs If the Identity PIN is entered incorrectly a specified number of times (this administrator-specified count is usually set to 5), the Identity key will be blocked and cannot be used again until a valid unblocking PIN is entered. Up to six unblocking PINs can be loaded during personalization. Each one is good once to unblock the Identity key. If the Identity key is blocked after all the unblocking PINs are used, the Identity key will be permanently blocked. The Passphrase Utility is used when updating the PIN to a new value and to unblock the Identity PIN. To unblock the Identity PIN, just enter the unblocking PIN as the current PIN and enter ent er a new Identity PIN. See Chapter 6 for more details. Note: The new Identity PIN must be different than both the unblocking PIN and the previously valid Identity PIN.
Datakey CIP User’s User’s Guide
29
Signing Inte Interface rface
Signing Interface The Signing Interface can be a Plug-In for the browser or a Java Applet called during the request for the document signature. This interface allows you to view the document prior to performing the signing action. document with the Identity Key, the us user er must unlock the Note: Before signing a document key by assigning a new PIN. The Identrus PIN Utility is used to assign a new Identity PIN. The Initial Identity PIN is entered as as the curren currentt PIN.
Datakey ISign - Identrus Signing Interface The Datakey Identrus Signing Interface is called "Datakey ISign." This interface is automatically activated when an Identrus Signature is requested. The user has the option to review, save, and sign the document at that time. Note: The Datakey ISign signing interface only supports text documents at this time. It is inadvisable to sign text you y ou cannot read, so there are security issues due to possible hidden text in PDF and Microsoft Word Word documents.
30
Datakey CIP User’s User’s Guide
Signing Interfa Interface ce
The Datakey ISign interface includes the following:
Main Text Area: Area: The main text area, which in the sample above is displaying the text This is a test file, will display the entire text that is to be signed. If the text does not fit in the viewing area, scroll bars can be used to scroll through the document. This is the text that you are being asked to sign. Store field displays the Identrus Certificate Store Store: The Identrus Certificate Store certificate name. This name is part of the certificate requested from the Identrus Certificate Server (CA).
field. Each character Identity Pin: Pin: Enter the Identity PIN in the Identity PIN field. displays as a '*' to maintain mai ntain the PIN’s privacy. Save As: As: The Save As button prompts for a name and location to save the t he document. You You can then save the document and return to the signing interface window. Sign: The Sign button signs the document displayed in the main text area with Sign: the on-token key and closes the signing interface window. Cancel: The Cancel button cancels the signing operation and closes the signing Cancel: interface window. window.
Datakey CIP User’s User’s Guide
31
Signing Inte Interface rface
32
Datakey CIP User’s User’s Guide
Chapter 4
Datakey Da takey CIP CIP Th Thin
Overview Datakey CIP Thin software is designed to be installed on servers such as Citrix MetaFrame servers and on Windows Windows Terminal Terminal Servers. Doing so gives a thin client (a computer containing only the very basic hardware and software components) the ability to access smart applications residereader on those ers. And becausePKI theand server applications appcard-enabled lications are able to accessthat a token reader thatservis attached to the thin client, token-based authentication using certificates/keys and user names/passwords is possible. Installing Datakey CIP Thin on servers servers therefore:
Provides token-based security for thin clients that need access to PKI and smart card-enabled applications that reside on a server Simplifies your ongoing integration and deployment tasks because software is installed only on your servers and not on your workstations
If desired, standard Datakey CIP software can be installed on a client workstation to provide additional additional capabilities. Installing Datakey CIP on a workstation workstation creates a fat client . This gives the user the ability to authenticate to and run applications that reside on either a server or on the local workstation. Both sets of applications are able to access the same locally attached token. In addition, fat clients support “roaming”—users can disconnect from a session on one fat client and reconnect to that same session on a different fat client. The remainder of this chapter is broken into two parts:
Citrix implementation considerations ( page page 34 34 - page page 41 41))
Terminal Server and Remote Desktop implementation considerations ( page page 42 42 - page page 45 45))
Datakey CIP User’s User’s Guide
33
Citrix features
Citrix features The following list identifies the functionality supported by Datakey CIP Thin within a Citrix environment.
Token logon to Citrix MetaFrame servers (MetaFrame XP FR 2) from either a thin client or a fat client.
Token access by server applications to client card readers/tokens.
Same token access by both fat client applications and server-based applications.
Direct token logon to server console via a token attached to the server.
Biometric and PIN Pad logon from a fat client cl ient to MetaFrame server.
Connections between clients and server via Citrix Program Neighborhood.
Connections between clients and server via NFuse/Web Interface.
Reestablishment of disconnected sessions from a fat client (fat client roaming).
Citrix architecture The following figure illustrates the use of Datakey CIP Thin in a Citrix environment.
Thin Client - Citrix client software
Windows-based access via Citrix Program Neighborhood
Fat Client - Datakey CIP - Win 98SE, NT 4.0 SP6, 2000 Pro, Pro, or XP Pro
Internet Web access via NFuse/Web Interface
34
Datakey CIP User’s User’s Guide
MetaFrame Server with: - Datakey CIP Thin - Win NT4.0, Server 2000, 2003 Server - Published Appls - Published Desktop
Installing Data Datakey key CIP Thin on a Meta MetaFrame Frame server
Installing Datakey Datakey CIP Thin on a Met MetaFrame aFrame server Datakey CIP Thin software cannot be installed on the server until the Citrix MetaFrame server software has been installed and is operable. Datakey CIP Thin can be installed on any MetaFrame server containing Windows NT 4.0 SP6a, Windows Server 2000, or Windows Windows 2003 Server. Server. Datakey CIP Thin should be installed on all the MetaFrame servers in your server farm. To install Datakey CIP Thin, perform the following follow ing steps: Note: The administrator does this, and it is only done once. 1.
Log directly onto the MetaFrame server console as administrator . Installation will fail if logged in through a Citrix session.
2.
From a command prompt, type the following command: cha change use userr / i nst al l
3.
Install Datakey CIP Thin from the CD, using the serial number supplied. If you have both Datakey CIP and Datakey CIP Thin serial numbers, be sure to enter the CIP Thin serial number. number.
4.
When presented with the list of reader types:
If there is a card reader attached to the server be sure to select that reader.
If there is no card reader attached to the server do not select a reader.
5.
If there are one or more thin clients in your network that use a Datakey 10SR reader, select the Datakey 10SR reader in addition to your server reader.
When the installation is finished, reboot the MetaFrame server and log on as the administrator to complete the installation process.
Datakey CIP User’s User’s Guide
35
Installing Datakey CIP on a client workstation
Installing Datakey Datakey CIP on a client workstation workstation If you require secure access to both workstation- and server-based applications, you must create a fat client configuration by installing Datakey CIP on each client workstation. Datakey CIP cannot be installed on a client workstation until the Citrix client software has been installed and configured to enable the user to log on to the MetaFrame server. To install Datakey CIP on a workstation, perform the following steps: Note: The administrator does this, and it is done once per workstation. 1.
Logon to the client workstation as administrator .
2.
Install Datakey CIP from the CD using the appropriate serial number.
3.
Proceed with the installation using the standard Datakey CIP install process.
Using Datakey CIP Thin from the client From the client perspective, the server-based Datakey CIP Thin software functions exactly the same as the workstation-based Datakey CIP software. When a client logs on to a server application through Citrix MetaFrame, Datakey CIP Thin provides the same token-based functionality functionality available in standard Datakey CIP CIP.. Not only can the client authenticate to an application applic ation using certificates/keys or user names/passwords, they can also personalize tokens, view information about the reader and the token, test the token, and manage certificates. Fat clients (clients with Datakey CIP installed) can do all that thin clients can do, but in addition they have secure access to local applications.
36
Datakey CIP User’s User’s Guide
Token logon using a Microsoft certificate
Token logon using a Microsoft certificate Users can log on to a MetaFrame server from a thin or fat cl client ient machine using a Microsoft logon certificate that is stored on on a local token. In order to do so the following requirements must be met:
The MetaFrame server must be a Windows 2000 server (or higher) The MetaFrame server must contain MetaFrame XP software (Feature Release 2) and Datakey CIP Thin 4.7 software (MU 20 or higher) The client machine must contain PC/SC software (e.g. Microsoft Resource Manager and WinSCard.dll) The client machine must contain Citrix client software that supports tokens (ICA Client 6.3.x or higher) The Citrix client software must be configured to enable token (smart card) logon The logon certificate must be stored on a token and the token inserted into a card reader that is attached to the client machine The MetaFrame server should be a member of the domain listed in the logon certificate that is stored on the token.
NFuse/Web NFuse/W eb Interface support support All Datakey CIP MetaFrame features that work though Citrix Program Neighborhood also work though the Citrix NFuse/W NFuse/Web eb Interface client software. Users can authenticate to the NFuse/Web Interface using either user names and passwords or via certificates stored on their token. Once authenticated to the NFuse/W NFuse/Web eb Interface users can launch MetaFrame published applications or connect to published desktops through their Web browser rather than through Citrix Program Neighborhood. Applications that run on the MetaFrame server, regardless regardless of whether launched as a published application or started start ed within a published desktop, will be able to access the token residing res iding at the user’s user ’s client machine.
Two ways to authenticate, two places to authenticate When a user connects to a MetaFrame server using Citrix Program Neighborhood the user only needs to authenticate to one server: the MetaFrame server server.. On the other hand, when a user connects to a MetaFrame server via the NF NFuse/W use/Web eb Inter-
Datakey CIP User’s User’s Guide
37
NFuse/Web NFuse/ Web IInterface nterface sup port
face the user needs to authenticate to two servers; first to the NFuse/Web NFuse/Web Interface Web server, and then again to the MetaFrame server each time the user launches a published application or published desktop. These two authentication steps can be configured independent of each other. other. For example, you could configure the W Web eb server to require token/certificate-based authentication but configure MetaFrame to allow user name/password-based authentication. With two ways to authenticate, and two places to which to authenticate, there are four different possible configurations:
NFuse/Web Interface Web server
MetaFrame server
1
User name/password
User name/password
2
User name/password
Certificate from token
3
Certificate from token
User name/password
4
Certificate from token
Certificate from token
Configuration
Datakey CIP Thin supports all four configurations. There are, however, however, limitations with some of the configurations. Configurations 3 and 4 are are only supported from fat clients because Datakey CIP must be present on the client machine to support the retrieval of the certificate from the token. Configurations 1 and 2 are supported on either thin or fat clients and do not require any special configuration steps. The standard NFuse/Web NFuse/Web Interface installation and configuration instructions provided by Citrix will suffice. Configurations 3 and 4, however, do require additional configuration steps beyond what is mentioned in the Citrix documentation.
Configuring NFuse/Web Interface for token/certificate-based authentication Refer to the Citrix NFuse Classic Administrator’s Administrator’s Guide or the Citrix Web Inter face for MetaFrame XP Administrator’s Administrator’s Guide for details how to enable NFuse/ Web Interface token support. All the required steps listed in those administrator’s guides are necessary. necessary. However, do no nott enable any of the Citrix-provided passthrough authentication features; they are not secure. In addition to the steps listed in the Citrix administrator’s guides, the Web server itself must be configured to require secure SSL SS L connections and token/certificate-
38
Datakey CIP User’s User’s Guide
NFuse/Web NFuse/W eb Interface suppo rt
based authentication. The following section describes a sample set of Microsoft IIS settings which enables secure SSL connections and token/certificate-based authentication to your NFuse/Web Interface Web Web site.
Configuring Configurin g Microsoft IIS NFuse/Web Interface Note: To enable token/certificate-based authentication to the NFuse/Web Web server, server, both the full Citrix client cl ient software and Datakey CIP must be installed on the client workstation. workstation. It is not possible possible to do token/certificatebased authentication to NFuse/Web NFuse/Web Interface from thin clients. 1.
2.
Using the Administrator application Internet Information Services, right-click on and select Properties. Select the Master Properties WWW Service, click Edit and and then select the Directory Security tab.
3. 4.
Windows directory ser service vice mapper check Enable the Enable the Windows check box. In the Anonymous access and authentication control section, click Edit and and then enable the Integrated Windows Windows authentication check box.
5.
Right-click on /Default Web Site, select Properties and then select the Directory Security tab.
6.
Install a server certificate.
7.
In the Secure communications section click Edit and and then enable the following:
8.
Require secure secure channel (SSL)
Require client certificates
Enable client certificate mapping
control section, click Edit and In the Anonymous access and authentication control and then:
Clear the Anonymous access check box (disable it)
Enable the Integrated Windows Windows authentication check box.
If the Inheritance Overrides dialog box appears, click Select All and then click OK . 9.
Right-click on /Default Web Site/Citrix, select Properties and then select the Directory Security tab.
Datakey CIP User’s User’s Guide
39
NFuse/Web NFuse/ Web IInterface nterface sup port
10.
11.
In the Secure communications section click Edit and and then enable the following:
Require secure secure channel (SSL)
Require client certificates
Enable client certificate mapping
In the Anonymous access and authentication control control section, click Edit and and then:
Clear the Anonymous access check box (disable it)
Enable the Integrated Windows Windows authentication check box.
If the Inheritance Overrides dialog box appears, click Select All and then click OK .
A Note on Citrix Secure Gateway and NFuse/Web Interface If you are deploying both Citrix Secure Gateway and NFuse/W N Fuse/Web eb Interface and you wish to use authentication configurations 3 or 4, you must not configure the N NFuse/ Fuse/ Web Interface to be behind the Citrix Secure Gateway; these two must be configured to be in parallel. parallel. See Figure 1.1 in the Citrix document Best Practices for Securing Citrix Secure Gateway Deployment .
40
Datakey CIP User’s User’s Guide
Publishing PKI applications when Datakey CIP Thin is installed
Publishing PKI applications when Datakey CIP Thin is installed The Citrix MetaFrame product gives administrators the ability to configure published applications. Perform the following steps to publish PKI applications once Datakey CIP Thin is installed: Note: The following steps apply only to Windows Windows NT 4.0 Terminal Terminal Server users. users. Windows Windo ws 2000 Server (or later) users can simply follow the instructions in the MetaFrame Administrator's Guide. 1.
Logon to the MetaFrame Server as Administrator .
2.
Begin following the steps in the MetaFrame Administrator's Guide for publishing an application.
3.
When asked to enter the command line to run the application, click on the Browse button and navigate to the folder in which Datakey CIP Thin is installed.
This is typically W:\Program Files\Datakey\crypt32. Select the file StartApp.bat and and click Open. 4.
Edit the command line entry that appears a ppears and add as a parameter to StartApp.bat the path to the application to publish. For example: “M:\Program Files\Datakey\Crypt32\StartApp.bat" Files\Datakey\Crypt32\StartApp.bat" M:\MyFolder\MyApp.exe
The path to the application must be outside the double quotes. 5.
Change the working directory if a different one is desired.
6.
Continue following the steps in the MetaFrame Administrator's Guide.
7.
When onselect the new entry that cation finished, Manager right-click Properties display and display . appears in the Published Appli-
8.
Click the Change Icon button.
9.
10.
Navigate to the application just published (e.g. M:\MyFolder\MyApp.exe), select it and click Open. Click OK twice twice to exit the Properties dialog.
Datakey CIP User’s User’s Guide
41
Microsoft Terminal Server features
Microsoft Micr osoft Terminal Terminal Server feat featur ures es The following list identifies the functionality supported by Datakey CIP Thin within a Microsoft Terminal Server environment.
Token (smart card) logon to Terminal Servers (Windows 2003 Server ) from either a thin client or a fat client.
Token access by server applications to client card readers/tokens.
Same token access by both fat client applications and server-based applications.
Direct token logon to t o server console (Windows Server 2000 or Windows 2003 Server) via a token attached to the server. Biometric and PIN Pad P ad logon from a fat client to Terminal Server. Connections from clients to Terminal Servers via Remote Desktop Protocol (RDP) V5.1. Reestablishment of disconnected Windows 2003 Terminal Server or Windows XP sessions from a fat client (fat client roaming).
Terminal Server architecture The following figure illustrates the use of Datakey CIP Thin in a Terminal Server environment.
Thin Client - MS Remote Desktop software Connections via Remote Desktop Protocol (RDP)
Fat Client - Datakey CIP - Windows 2000 Pro or XP Pro
42
Datakey CIP User’s User’s Guide
Terminal Server with: - Datakey CIP Thin - Windows 2003 Server
Installing Data Datakey key CIP Thin on a Terminal Terminal Server
Installing Datakey Datakey CIP Thin on a T Terminal erminal Server To install Datakey CIP Thin on a Windows 2003 Terminal Server, Server, perform the following steps: t hat has terminal services Note: You must install Datakey CIP Thin on any server that enabled. Failing to install Datakey CIP Thin on such a sserver erver will prevent Datakey CIP from functioning. 1.
Log directly onto the Terminal Server console as administrator .
2.
From a command prompt, type the following command: cha change use userr / i nst al l
3.
Install Datakey CIP Thin from the CD using the serial number supplied (you must use the CD; you cannot install instal l Datakey CIP Thin from over a network). If you have both Datakey CIP and Datakey CIP Thin serial numbers, be sure to
enter the Datakey CIP Thin serial number number.. 4. When presented with the list of reader types:
If there is a card reader attached to the server be sure to select that reader.
If there is no card reader attached to the server do not select a reader.
5.
If there are one or more thin clients in your network that use a Datakey 10SR reader, select the Datakey 10SR reader in addition to your server reader.
When the installation is finished, reboot the Terminal Server and log on as the administrator to complete the installation process.
Datakey CIP User’s User’s Guide
43
Installing Datakey CIP on a Windows client workstation
Installing Datakey Datakey CIP on a W Windows indows client wor workstation kstation If you require secure access to both workstation- and server-based applications, you must create a fat client configuration by installing Datakey CIP on each Windows client workstation. To install Datakey CIP on a workstation, perform the following steps: Note: The administrator does this, and it is done once per workstation. 1.
Logon to the client workstation as administrator .
2.
Install Datakey CIP from the CD using the appropriate serial number.
3.
Proceed with the installation using the standard Datakey CIP install process.
Using Datakey CIP Thin from a Windows client From the Windows client perspective, the server-based Datakey CIP Thin software functions exactly the same as the workstation-based Datakey CIP software. When a client logs on to a Terminal Server application, Datakey CIP Thin provides the same token-based functionality available in standard Datakey CIP. CIP. Not only can the client authenticate to an application using certificates/keys or user names/passwords, they can also personalize tokens, view information about the reader and the t he token, test the token, and manage certificates. Fat clients (clients with Datakey CIP installed) can do all that thin clients can do, but in addition they have secure access to local applications.
44
Datakey CIP User’s User’s Guide
Fa Fatt client capa capabilities bilities wit h remote Window s XP machines
Fat client capabilities with remote Windows XP machines Architecture The following figure illustrates how fat clients can interact with remote Windows XP machines.
Fat Client - Datakey CIP - Windows 2000 Pro or Windows XP Pro Connections via
Remote Windows XP Machine
Remote Protocol Desktop (RDP)
- Datakey Thin or CIP Datakey CIP
Fat Client - Datakey CIP - Windows 2000 Pro or Windows XP Pro
Capabilities
Remote desktop connections from a fat client to a remote Windows XP machine. Token (smart card) logon to remote Windows XP machines from a fat client. Biometric and PIN Pad logon from a fat client to a remote Windows XP machine. Reestablishment of disconnected Windows XP sessions from a fat client (fat client roaming). Fast user switching (switching between different users on the same Windows XP machine) is supported but is mutually exclusive with Remote Desktop—the Windows XP machine cannot be configured for both fast user switching and Remote Desktop.
Datakey CIP User’s User’s Guide
45
Troubleshootin g Citrix and Te Terminal rminal Server issues
Troubleshooting Citrix and Terminal Server issues This section contains solutions to some of the more common problems you might exerience while using CIP Thin in a Citrix Ci trix or Terminal Server environment.
46
Improperly disconnecting from a Citrix server: server : If you are on a thin client and you disconnect from a Citrix server s erver rather than logging off, the session will remain open but in a disconnected state. In order to reestablish communication with the local smart card reader, you must log off properly and then log back in. sessi on on one computer and then attempt to reestabRoaming: If you leave a session Roaming: lish the session at a different computer (roaming), both computers must contain the same number of readers and the same models of readers. Roaming will fail if both computers do not have the exact same s ame reader configuration. Remote desktop connections: connections: In order to make a remote desktop connection, both computers must contain the exact exact same reader configuration. Also, before starting the connection, make sure the smart card is inserted in the card reader. Attempting to “multi-hop”: “multi-hop”: You can make a remote desktop connection from Computer A to Computer B, but if you attempt to multi-hop by making a subsequent connection to Computer C, the connection will fail.
Datakey CIP User’s User’s Guide
Chapter 5
Using si ng the th e CIP Utili ti liti tie es
The Datakey CIP Utilities is an intuitive, easy-to-use program that is used to view and manage Datakey tokens and the objects objects contained on the tokens. The program reports token and reader status and can be used for base-level diagnostics. Administrators can configure the functionality and features available for enterprise deployment through an administrative wizard included with CIP Utilities. This chapter describes how to use the CIP Utilities program. Not every menu option described in this chapter may be available to ev every ery user. See page See page 56 56 for for more information.
Starting CIP Utilities There are two methods for starting the CIP Utilities program.
Using the Windows Start button button
Using SmartMonitor
Starting CIP Utilities using the Windows Start button To start CIP Utilities from the Windows Start button, select Start -> Programs -> Datakey CIP -> CIP Utilities. The CIP Utilities window is displayed.
Starting CIP Utilities using SmartMonitor If Datakey CIP Desktop is installed on your system, you can start CIP Utilities using the SmartMonitor icon.
Datakey CIP User’s User’s Guide
47
The CIP Utilities window—Some basics
1.
Right-click the SmartMonitor icon located in your computer ’s system tray. tray.
SmartMonitor
2.
Select the CIP Utilities menu option.
The CIP Utilities window is displayed.
The CIP Utilities window—Some basics When CIP Utilities is started a window similar to the following appears:
Left pane Right pane
48
Datakey CIP User’s User’s Guide
The CIP Utilities window—Some basics
The CIP Utilities window is divided into two panes.
The left pane displays all the available tokens, readers, and the contents of the token within each reader. The contents displayed for each token will vary: The public contents are always displayed; the private contents (private keys, data objects, etc.) are displayed only if you are logged in to the token. The right pane displays information about the item selected in the left pane. You can adjust the size of the right pane by clicking and dragging the left edge of the right pane.
It is very simple to get information about any object displayed in the left pane. Simply click the item that you want information about, and the information is automatically displayed in the right pane. Note: Many of the tasks performed within CIP Utilities involves right-clicking objects to display a right-click menu. If you don’ don’tt have a mouse or if you prefer to use use the keyboard, pressing pressing either Shift-F10 or the Windows Windows Application key will display the right-click menu.
Copying and clearing text in the right pane You can copy some or all al l of the text displayed in the right pane to t o your computer’s clipboard. You can also clear all text from from the right pane. To perform either of of these actions, perform the following steps: 1.
Position the cursor in the right pane.
2.
(Conditional) If you wish to copy a specific block of text, select the th e desired text from within the right pane.
3.
Right-click the mouse. The following menu appears:
Datakey CIP User’s User’s Guide
49
The CIP Utilities window—Some basics
4.
Select the appropriate menu option.
To copy selected text, select Copy.
To copy all text in the right pane, select Copy All.
To clear all text in the right pane, select Clear .
not visible, Note: If you paste copied text into another application and the text is not it’s it’s probably because your font color is set to white. Try changing the font color within the application or within CIP Utilities (see page (see page 51 51). ).
Changing the background color in the right pane You can modify the appearance of the information displayed dis played in the right pane by changing the background color and font settings. To change the background color in the right pane, perform the following steps: 1.
Position the cursor in the right pane, then right-click the mouse. The following menu appears:
2.
Select Set Background Color . The Color window window appears.
3.
50
Select the desired background color, then click OK .
Datakey CIP User’s User’s Guide
The CIP Utilities window—Some basics
Changing the font settings To change the font settings in the right pane, perform the following steps: 1.
Position the cursor in the right pane, then right-click the mouse. The following menu appears:
2.
Select one of the font menu items.
Set Font Color : Select this menu item to modify the font color color.. Font : Select this menu item to specify a Normal font, a Bold font, font, or an Italic font. Font Size: Select this menu item to specify the size of the font.
Toolbar buttons The toolbar contains the following buttons:
Refreshes the display. Displays the Cryptoki Trace Settings window. This is used determine what will be stored in the CIP log fortoeach Datakey CIPitems event. Launches the Quality Feedback Feedback Agent. This is a utility utility that enables Datakey customers experiencing problems with their tokens and/or token readers to collect pertinent data and send a problem report to the Datakey Technical Support staff. Displays version information about CIP Utilities and other Datakey programs. Displays context sensitive Help for selected items.
Datakey CIP User’s User’s Guide
51
Modifying and updating the display
Icons Unique icons are used to identify the following object types within the left pane:
= a card reader
= a digital certificate
= a certificate that is also contained in the Windows certificate store = a public key (blue) = a private key (gold) = a data object
Modifying and updating the di display splay The View menu enables you to modify how CIP Utilities displays information and to update the information currently being displayed.
52
Datakey CIP User’s User’s Guide
Configuring CI CIP P Utilities options
View -> Toolbar : Select this option to toggle the toolbar menu on and off. The toolbar menu is located directly beneath the primary menu and contains the following icons:
View -> Status Bar : Select this option to toggle the status bar on and off. The status bar is located at the bottom of the CIP Utilities Utiliti es window.
View -> Detailed Display: Select this option to specify how much information is displayed in the right pane—either complete details about an item or just the basic information.
View -> Refresh: Select this option to refresh the CIP Utilities window with the most current information.
Configuring CIP Utilities options The Options menu enables you to uniquely configure a number of CIP Utilities options.
Datakey CIP User’s User’s Guide
53
Configuring CI CIP P Utilities options
Configuring Configurin g CIP DKLogger settings Select Options -> CIP -> DKLogger Settings to configure the level of messages that will be logged in DKLogger.
Configuring Configurin g CIP Log settings Select Options -> CIP -> CIP Log Settings to configure the Cryptoki Trace Settings. The trace settings determine what items will be stored in the CIP log for each event.
A check mark appears in front of an item when the item is enabled.
Enabling/disabling the Token Server Select Options -> CIP -> Start Token Server to to specify whether the CIP Token Server will be automatically started each time the computer is activated. The Token Server must be active in order for Datakey CIP to interact with a token reader. A check mark appears in front of this option when it is enabled. t akes effect. Note: You must reboot your computer before any change takes
54
Datakey CIP User’s User’s Guide
Configuring CI CIP P Utilities options
Enabling/disabling 10SR readers Select Options -> CIP -> Enable 10SR Readers to specify whether support will be provided for a model model 10SR serial token reader. reader. Enable this option only if you have a 10SR reader. If you do not have a model 10SR token reader reader,, disabling this option will enhance your system performance. A check mark appears in front of this option when it is enabled.
Configuring Configurin g the Auto Cert Register Utility The Auto Cert Registration Utility automatically registers digital credentials contained on a Datakey token with Microsoft Windows and many other desktop applications. If you want the digital digital credentials to be deleted from the Windows certificate store whenever the token is removed from the reader, select Options -> Auto Cert Register and and toggle on the Delete On Removal option. A check mark appears when this option is enabled. For detailed information about the Auto Cert Registration Utility, refer to the Datakey CIP Desktop User’s User’s Guide.
Enabling/disabling the CIP Utilities log Select Options -> CIP Utilities -> Enable CIP Util Logging to toggle the CIP Utilities log option on or off. The CIP Utilities log is separate from from the CIP log; the CIP Utilities log only collects information about about the CIP Utilities. CIP Utility log information is collected in a file named ciputils.log. The file is saved in the same directory as the ciputils.exe executable file. A check mark appears when this option is enabled.
Configuring the object name display Select Options -> CIP Utilities -> Choose Object Name to define which identifier is displayed in parentheses next to each item in the left pane. The following figure illustrates the position of the object name:
Object names
Datakey CIP User’s User’s Guide
55
Configuring CI CIP P Utilities options
Valid options are:
Launching the Quality Agent Select Options -> Launch Quality Agent to to start the Quality Agent. The Quality Agent is a utility that enables Datakey customers ex experiencing periencing problems with their tokens and/or token readers to collect pertinent data and send a problem report to the Datakey Technical Technical Support group. For detailed information about the Quality Agent, after launching the utility, press F1 and read the online Help system.
Specifying CIP Utilities program options Note: This option applies only to administrators. Select Options -> Configuration to specify the CIP Utilities program options that will be made available to your users. When you select the the Configuration option the following window appears:
56
Datakey CIP User’s User’s Guide
Configuring CI CIP P Utilities options
The CIP Utilities are shipped with all options options fully enabled. If you, as an administrator, wish to restrict the tasks your users can perform, you can do so using the Configuration option. After setting the parameters the way you want, click OK to to save the new configuration to the DKAdmin.dat file. The DKAdmin.dat file file is a control file for CIP Utilities. When you install Datakey CIP on your users’ computers, simply use the new configuration file rather than the original file. IMPORTANT! IMPORT ANT! By default the DKAdmin.dat file is stored in the \Program directory. y. Be careful not to overwrite Files\Datakey\Crypt32 director your own default file or you may inadvertently restrict your own DKAdmin.dat options.
If you make changes to the default setting, set ting, be sure to disable the Enable access to the Configuration Dialog option. Otherwise, your users may be able to modify these settings on their own.
Datakey CIP User’s User’s Guide
57
Token reader tasks
Token reader tasks There are a number of tasks you can perform on a token reader. reader. Simply right-click on a token reader and the following menu is displayed:
Logging on/off a token To log on to a token, perform the following steps. 1.
Right-click the token reader that contains the desired token.
2.
Select Login.
3.
The Login window appears:
4.
Type your token passphrase, then click OK . CIP Utilities will indicate i ndicate you are currently logged on to the token by displaying Logged In on the token reader header line. CIP Utilities will also display both public and private objects contained on the token.
58
Datakey CIP User’s User’s Guide
Token reader tasks
To log off a token, perform the following steps. 1.
Right-click the token reader that contains the desired token. This time the top menu item will be Logout rather rather than Login.
2.
Click Logout . You are immediately logged off the token.
Changing the token passphrase The token passphrase is used to protect and activate your token. If you wish to change your passphrase, perform the following steps: Note: If you have the Datakey CIP Desktop installed on your system, you can also use the Passphrase Passphrase Utility to change your token passphrase. See the Datakey CIP Desktop User’s User’s Guide for details. 1.
2.
3.
Right-click the reader containing the token, then select Change Passphrase. The Change Passphrase window appears.
Type your old (current) passphrase in the Old Passphrase field. Asterisks appear in the display instead of the passphrase characters in order to keep your passphrase safe. Be careful when typing your old passphrase, because typing the wrong passphrase too many times will result in your token becoming permanently blocked. Type your new passphrase in the New Passphrase field. The minimum length of a passphrase is four alphanumeric characters, and the maximum length is 20 alphanumeric characters. Select a passphrase that is difficult to guess. Avoid using the obvious types of passphrases such as your first, middle, or last name, birth date, employee number, social security number, etc. Passphrases are case sensitive, so verify the position of the Caps Lock button. button.
Datakey CIP User’s User’s Guide
59
Token reader tasks
4.
Re-type the same new passphrase in the Reenter New Passphrase field.
5.
Click OK .
t his time. Note: The Secure Authenticate fields are not used at this
Changing the token label The token label is a user-friendly user-friendly label used to identify the token. If no label has been assigned to the token, this field defaults to the token serial #. To change the token label, perform the following steps: 1.
Right-click the reader containing the token, then select Change Label. The Token Label window appears.
2.
Type the new label in the Token Label field. The label can be from 1 to 32 characters long.
3.
Click OK .
To view the token label, select the reader containing the token; the label is dis played in the right pane.
Changing the Inactivity Timer
CIP Utilities contains an Inactivity Timer . This option gives you the ability to set the inactivity timer on the token. To configure the Inactivity Timer Timer , perform the following steps: 1.
Right-click the reader containing the token, then select Change Inactivity Timer . The Token Inactivity Timer window window appears.
60
Datakey CIP User’s User’s Guide
Token reader tasks
2.
Select the desired timeout option.
3.
Card login required required for each operation: Programs that use the token will prompt the user to log on to the token each time the program requires access to the token. Card login remains valid until card is removed : After an initial login, programs can access the token without further user interaction until the token
is removed from the card reader. Logout from card card after inactivity of : Programs are logged off the token if the token is idle for the specified number of minutes. Use the up and down arrows to specify the number of minutes the token can remain idle before it times out. You You can also type a value directly into the field. Valid values are from 1 - 240.
Click OK .
Initializing a token New tokens must be initialized before keys, certificates, or other items may be stored on the token. token. The initialization process also removes removes existing items from the token, leaving only the serial number and the token label intact. Initialization can also be used to unlock a blocked token. process once you have personalized your IMPORTANT! IMPORT ANT! Do not perform this process token. Initialization removes all information except the serial number and the token label. All your exchange and signature keys are removed removed and your security administrator will need to replace the exchange key for you.
Datakey CIP User’s User’s Guide
61
Token reader tasks
Windows 2000/XP users only: If the token was used to logon to the IMPORTANT! IMPORT ANT! Windows active Windows 2000 or Windows Windows XP session, it should not be initialized. Log off of Windows Windows and bring the token to another station to be initialized or use another method to logon.
To initialize a token, perform the following steps: 1.
Token. Right-click the reader containing the token, then select Initialize Token
The Token Initialization window appears.
2.
Read the warning messages, then either click Continue Initialization to continue the initialization process or click Cancel to terminate the process.
3.
If you click Continue Initialization, the token is initialized. When the process is complete a window similar to the following appears.
62
4.
Click OK .
5.
See page 59 See page 59 for for information on changing the default passphrase to a more secure passphrase.
Datakey CIP User’s User’s Guide
Token reader tasks
Testing a token You can test the token to verify it is working properly. The test function checks the token for defects by exercising the basic cryptographic operations such as generating, storing, and deleting a public/private key pair. To test a token, perform the following steps: 1.
Right-click the reader containing the token, then select Test Token. The following window appears.
2.
Click OK . Information about each step in the test process is displayed in the right pane. When the test process is complete the following message is displayed:
Test Token Succ Success ess f ul
Importing a PKCS#12 file You can import existing PKCS#12 files (certificates) to a token. To import a PKCS#12 file, perform the following steps: 1.
Right-click the reader containing the token, then select Import PKCS#12 File. The Import File window appears.
Datakey CIP User’s User’s Guide
63
Token reader tasks
2.
Navigate to the location of the PKCS#12 file, select the file, then click Open. The following window appears.
3.
Type the password associated with the PKCS#12 file, then click OK . The Select Container Name window appears.
4.
Accept the default container name or type a new container name for the certificate, then click OK . This is the CSP container name displayed in parentheses on the public and private key names. See page See page 55 55 for for information on displaying CSP container names. The PKCS#12 file is unwrapped and the certificate is copied to the token. When the process is complete the following message box appears.
Displaying library version information To determine the version of driver software currently running on a token, simply Version. The softright-click the reader containing the token, then select Library Version ware driver information is displayed at the bottom of the right pane in the CIP Utilities window window.. For example:
64
Datakey CIP User’s User’s Guide
Token reader tasks
Library version information
Note: The library version information is written to the bottom of the right pane each time you perform this operation.
Importing a certificate from the Windows Windows certificate store If a certificate is stored in i n the Windows certificate store, but the certificate is not contained on the desired token, you can import the certificate certi ficate from the certificate store to the token. You do this by right-clicking the reader containing the token, then selecting Import Certificate from System. The certificate that is stored in the certificate store must be associated with a key pair on the token in order to successfully import the certificate to the token.
Displaying Common Access Card (CAC) data This applies only if a CAC card is inserted in the token reader. reader. To view the data on the CAC card, right-click the reader and then select sel ect Display Common Card Data.
Datakey CIP User’s User’s Guide
65
Certificate tasks
Certificate tasks A certificate is used to positively identify yourself to others, or vice vice versa. A certificate is a confirmation of your identity and contains information used to protect data or to establish secure network connections. A certificate can be used to digitally sign a piece of information so that you can determine the author of the information. A copy of your your public key is contained contained within a certificate. There are a number of tasks you can perform on a certificate. Simply right-click on a certificate and the following menu is displayed:
Deleting a certificate from a token To delete a certificate from a token, right-click tthe he certificate and then select Delete From Token. Select Yes at the confirmation dialog box.
Moving a certificate to/from Windows Certificates that Windows “knows” about are stored in the certificate store on your computer. If you are working on a computer that does not contain a copy o off your certificate in its certificate store, you will not be able to encrypt a file or an email message. Why? Because the certificate in the certificate store acts as a pointer to the more secure portion of your digital credentials—the private key located on your smart card. Without this pointer pointer the system will not be able to locate your private key. Copying a certificate to the Windows certificate store: store: To copy a certificate from your token to the certificate store on a computer, perform the following steps: 1.
Right-click the certificate.
2.
Select Copy to System. The certificate is copied to the Windows certificate store. The certificate icon changes to a double certificate, indicating the certificate also resides in the certificate store.
66
Datakey CIP User’s User’s Guide
Certificate tasks
Deleting a certificate from the Windows certificate store: store: To delete a certificate from the certificate store, perform the following steps: 1.
Right-click the certificate.
2.
Select Delete From System. The certificate is deleted from the Windows certificate store. The certificate icon changes to a single certificate, indicating the certificate resides only on the token.
Exporting a certificate to a file If you wish to move a copy of a certificate located on your token to a hard drive o orr some other location, you must first export the certificate to a DER encoded binary X.509 file. To export a certificate to a file, perform the following following steps: 1.
To File. Right-click the certificate, then select Export To
The following window appears.
2.
Navigate to the folder you want to save the file in, then type a name in the File name field. The file name must end with a .cer extension. extension. When the export process is complete an informational message is displayed in the right pane.
Set a certificate as the default container A container consists of three related components: A public key key,, a private key, and a certificate. The default container is is the first container on a token. If a token contains multiple containers you may wish to specify one of the containers as the default container. For example, the Windows 2000 and the Windows XP logon
Datakey CIP User’s User’s Guide
67
Certificate tasks
procedure uses only the default container; if you are using Windows Windows 2000 or Windows XP logon you probably want to set the certificate and the keys used with Windows 2000/XP logon as the default container. To set a certificate and its related public/private keys as the default container, rightclick the desired certificate, then select Set to Default Container . The pub public lic key is technically the component that defines the default container, so the public key associated with the default container is displayed in a bold face font in order to highlight the default container.
Editing certificate attributes To modify a certificate’s label, container name, or ID, perform the following steps: certificate’s attributes. Caution! Only qualified administrators should edit a certificate’s 1.
Right-click the certificate, then select Edit Object . The Edit Certificate File Attributes window appears.
2. 3.
Click in the desired field and modify the contents as desired. If you want to use the hash value of the public modulus as the certificate ID, click Use hash of public modulus for CKA_ID. The value is computed and inserted in the t he CKA_ID field.
Updating a token Sometimes certain components that should be available on a token are temporarily “lost.” CIP Utilities provides the ability to restore certain missing components. For example, a missing public key can be restored by retrieving it from the associated private key. key.
68
Datakey CIP User’s User’s Guide
Public key and private key tasks
To update a token, right-click the desired certificate, then select Update Token. Missing components are retrieved and and automatically displayed in the left pane. The update token process also renames all three components to the same container name as the related private key.
Public key and private key tasks Public and private keys are used to encrypt/decrypt files and messages. Your public key is freely distributed and used by others when encrypting messages sent to you. Your private key is used to decrypt the encrypted mess messages. ages. Your private key must be protected at all costs. There are a number of tasks you can perform on a public or private key. key. Simply right-click on the desired key and the following menu is displayed:
Deleting a key from a token To delete a public or private key from a token, right-click the key and then select Delete From Token Token. Select Yes at the confirmation dialog box.
Exporting key information to a file If you wish to move information about a particular public or private key to a file, one way to do it is to t o export the information to a text file. To export key information to a file, perform the following steps: Note: Information about the key is exported, not the key itself. 1.
Right-click the key, then select Export To To File. The Select the key file window is displayed.
2.
Specify the name and location of the file, then click Save. The default name for the file is KeyInfo.txt .
Datakey CIP User’s User’s Guide
69
Public key and private key tasks
Set a key as the default container A container consists of three related components: A public key key,, a private key, and a certificate. The default container is is the first container on on a token. If a token contains multiple containers you may wish to specify one of the containers as the default container. container. For example, the Windows 2000 logo logon n procedure uses only the default container; if you are using Windows 2000 logon you probably want to set the certificate and the keys used with Windows 2000 logon as the default container. To set a key and its related components as the default container, right-click the desired key, then select Set to Default Container . The public key is technically the component that defines the default container, so the public key associated with the default container is displayed in a bold face font in order to highlight the default container. The public key associated with the default container also becomes the first key on the token.
Editing public/private key attributes To modify a public or private key’s attributes, perform the following steps: key’ss attributes. Caution! Only qualified administrators should edit a key’ 1.
Right-click the public or private key, then select Edit Object . If you are editing a public key the Edit Public Key Attributes window appears.
70
Datakey CIP User’s User’s Guide
Public key and private key tasks
If you are editing a private key the Edit Private Key Attributes window appears.
2.
Click in the desired field and modify the contents as desired.
3.
If you want to use the hash value of the public modulus as the certificate ID, click Use hash of public modulus for CKA_ID. The value is computed and inserted in the CKA_ID field.
Updating a key on a token Sometimes certain components that should be available on a token are temporarily “lost.” CIP Utilities provides the ability to restore certain missing components. For example, a missing public key can be restored by retrieving it from the associated private key. key. To update a token, right-click the desired certificate, then select Update Token. Missing components are retrieved and and automatically displayed in the left pane. The update token process also renames all three components to the same container name as the related private key.
Datakey CIP User’s User’s Guide
71
Data obj ect tasks
Data object tasks tasks In general, CIP Utilities treats as a data object any object that is not a certificate, a public key, key, or a private key. key. A data object can be almost anything, from sensitive information input/output associated with CIP a particular example, SmartLogonto and SmartNotes, two Datakey Desktopapplication. applications,For both store data objects on a token. There are a number of tasks you can perfo perform rm on a data object. Simply right-click on the desired data object and the following followi ng menu is displayed:
Deleting a data object from a token To delete a data object a token, right-click thebox. object and then select Delete From Token . Select Yesfrom at the confirmation dialog
Export data object information to a file If you wish to move information about a particular data object to a file, one way to do it is to export the information to a text file. To export data object information to a file, perform the following steps: 1.
To File. Right-click the data object, then select Export To
The Select the key file window is displayed. 2.
Specify the name and location of the file, then click Save. The default name for the file is DataInfo.txt .
72
Datakey CIP User’s User’s Guide
Help menu
Help menu To view the online Help system, click Help -> Help Topics Topics.
To display version information about CIP Utilities and other Datakey software, click Help -> About CIP Utilities.
Troubleshooting using CIP Utilities CIP Utilities is a useful application for troubleshooting problems when using Datakey CIP. CIP. It can be used to verify that your token reader and token are functioning properly. If you are able to perform the following tests successfully, your problem is most likely with the application you are trying to use with Datakey CIP. To verify that your reader and token are functioning properly, do the following: 1.
Ensure that your card reader is securely plugged into your machine and that your token is fully inserted.
2.
Shut down all applications that are currently running on your machine.
3.
Reboot.
4.
If you are using a serial token reader, watch the light on your token reader. It should blink off, then on again shortly after reboot.
5.
Launch CIP Utilities. After it launches, you should see your token label and serial number displayed. This confirms that your machine is communicating with your token.
Common problems If the above tests do not succeed, your reader is not communicating with the Datakey CIP drivers. Common causes of this problem include:
Reader/token not securely plugged in.
Software not installed or installed improperly.
Datakey CIP User’s User’s Guide
73
Exiting CIP Utilities
Serial port conflict. Another serial device is configured to use the same COM port that your token reader is plugged into. Serial port interrupt conflict. You have a device configured to use a COM port that shares an interrupt with the port that your token reader is plugged into. For example, i nterrupt, as do COM2 and COM4. COM1 and COM3 usually share an interrupt,
Possible solutions The following list provides suggestions to help hel p get your reader to function properly:
Check to ensure that the reader is plugged into the machine tightly and the card is plugged in all the way. If you are using a serial reader and you suspect your reader may not have been plugged in securely, securely, reboot your machine. Your serial reader must must be present at startup in order to be recognized. If you have another COM port available, try swapping the reader into it. Try plugging another piece of hardware into the serial port, such as a 9-pin serial mouse. If the device works, then you know the port is in proper working order. Look for any serial devices in use on the machine in question. Common problem devices are internal modems and infrared ports on laptops. If you locate such a device, try configuring it to use us e a different COM port or disable it to complete the test.
Exiting CIP Utilities Utilities If you wish to exit the CIP Utilities program, click File -> Exit .
The program will terminate t erminate immediately.
74
Datakey CIP User’s User’s Guide
Chapter 6
Unblo nb lock ckin ing g a Tok Toke en
Overview A Datakey 330u token is similar simil ar to a Datakey 330 token, with the exception that a Model 330u token contains up to six “one time use” unblocking PINs that can be used in the event the token becomes blocked. blocked. A token becomes blocked if the pass phrase used to access the token is not entered correctly within a specified number of attempts. cannot be unblocked. If they become blocked they must Note: Datakey 330 tokens cannot be re-initialized.
Unblocking a Datakey 330u token Unblocking a token from within CIP Utilities To unblock a Datakey 330u token from CIP Utilities, perform the following steps: 1.
Ask your administrator for the next available unblocking PIN.
1.
Insert the blocked token to ken into the reader.
2.
Right-click the reader containing the token, then select Change Passphrase.
Datakey CIP User’s User’s Guide
75
Unbloc king a Da Datakey takey 330u 330u token
3.
The Update Passphrase window is displayed.
4.
Type the unblocking code in i n the Enter Unblocking Code field.
5.
Type your new passphrase in the New Passphrase and in the Reenter new Pass phrase fields. The new passphrase must be different different than your previous passphrase. The pass phrase must be from 4 - 20 characters and must not contain spaces.
6.
Click OK .
Unblocking a token using CIP Desktop If you have CIP Desktop installed on your computer, you can unblock a Datakey 330u token by launching the Passphrase Utility directly. directly. To do so, perform the following steps: 1. 1.
Ask your administrator for the next available unblocking PIN. Insert the blocked token into the reader.
2.
Start the Passphrase Utility.
3.
You can start the Passphrase Utility Util ity either by right-clicking the SmartMonitor icon or by selecting Start -> Programs Programs -> Datakey CIP -> Passphrase Utility.
4.
Click the Update Passphrase button. A dialog box appears asking you to enter the next available unblocking pass phrase.
5.
76
Click OK .
Datakey CIP User’s User’s Guide
Unblocking an Identrus Toke Token n
The unblocking window appears.
6. 7.
Type the unblocking PIN in the Passphrase Unblocking field. Type your new passphrase in the New Passphrase and the Reenter new Pass phrase fields. The new passphrase must be different different than your previous passphrase. The pass phrase must be from 4 - 20 characters and must not contain spaces.
8.
Click OK .
Unblocking an Identrus Token The procedure for unblocking an Identrus token is virtually identical to the procedure used to unblock a Datakey 330u token. The only difference you will see are the Identrus-specific buttons on the main Passphrase Utility window:
Simply click the appropriate button and type the necessary information, using the procedure described on page on page 76 76 as as your guideline.
Datakey CIP User’s User’s Guide
77
Unblocking an Identrus Toke Token n
78
Datakey CIP User’s User’s Guide
Chapter 7
Using si ng Bio B iometric metric Smart Smart Card Cards s and Car Card Read Readers Overview This chapter describes the biometric capabilities of Datakey CIP CIP.. The biometric capabilities allow you to log on to a smart card by simply pressing a fingertip on a card reader. Your Your fingerprint is read by the biometric card reader and the authentication process is then performed directly and securely on the smart card. A Datakey 330m or a Datakey 330g3 smart card is required when using the biometric capabilities of Datakey CIP. CIP. The Datakey 330m smart card is designed specifically for use with biometric card readers. It is known as a match-on-card smart smart card because the fingerprint authentication match takes place securely on the smart card. The Datakey 330g3 is a GSA compatible smart card that ensure ensuress “any card, any software” operation. See page 8 for for more information about the biometric smart cards and card Note: See page readers supported by Datakey.
Before the smart card will recognize your fingerprint, you must enroll your finger print on the smart card. Up to four of of your fingerprints may be enrolled at one time. Enrolling multiple fingerprints enables you to use a different fingerprint to log on if for some reason you can't use your usual fingerprint (for example, due to injury).
Datakey CIP User’s User’s Guide
79
Enrollment
Enrollment Enr ollment When you first receive your Datakey smart card your fingerprint information will not be on the smart card. A good first step after receiving your Datakey smart card is to initialize the card. You can then enroll your fingerprint information.
Initializing the Datakey smart card card will erase anything already already on the IMPORTANT! IMPORT ANT! Initializing your smart card smart card. 1.
Start CIP Utilities by selecting Start -> Programs -> Datakey CIP -> CIP Utilities.
2.
In the left pane, right-click on the appropriate card reader. A menu appears.
3.
Token. Select Initialize Token This will format your smart card and ensure it is ready for use.
After initializing the smart card, the passphrase for the smart card is set to the default value PASSWORD (or 12345678 if if you are using a PIN Pad reader).
Enrolling your fingerprint To enroll your fingerprint on the smart card: 1.
From within CIP Utilities, right-click the appropriate biometric card reader.
2.
Select Enroll Fingerprint Fingerprint . You will be asked to log on to the smart card. Because you have not yet enrolled your fingerprint, fingerprint, CIP Utilities will ask for your passphrase. If you just initialized the smart card, it will be PASSWORD or 12345678 .
80
Datakey CIP User’s User’s Guide
Enrollment
3.
Type your passphrase, then click OK . The following dialog box appears:
This dialog box enables you to configure the following:
4.
Which fingerprint(s) you want to enroll
Various enrollment options
Use the check boxes by each finger to select which fingerprint(s) you want enrolled on the smart card. If you want, you can select just one finger and then log on only with that finger print. Or you can choose two, three, or four fingerprints. fingerprints. That will let you log on to the smart card if, for some reason, your usual fingerprint cannot be used. Up to four fingerprints fingerprints may be enrolled. If you select four fingertips, all remaining check boxes will disappear. disappear. Clearing a check box will cause the other check boxes to reappear.
5.
Click Options.
Datakey CIP User’s User’s Guide
81
Enrollment
The following enrollment options are displayed:
By default all options but but the first are initially off. off. Please read the following descriptions carefully before enabling any of the options.
False Acceptance Rate (FAR): The F FAR AR determines how carefully the smart card will look at your fingerprint. Setting the FAR very high (1 in 1,000,000) gives you very good security but can make it difficult to log in sometimes. Depending on the condition of the smart card reader reader and your fingerprint, your logon may be rejected when it shouldn't. Setting the t he FAR very low (1 in 100) makes it easier to log on, but also makes it a little more likely that a wrong fingerprint will be accepted a ccepted for log on. The setting 1 in 10,000 provides a good balance between security and ease-of-use. Logon Mode: Specifies what a user must provide in order to log on to the smart card. There are three choices:
(1) A fingerprint or a passphrase (2) A fingerprint only (no passphrase allowed) (3) A fingerprint and a passphrase (both required)
82
Bad Fingerprint Logon Retry Limit Limit : Specifies the number of times a user can attempt to use their fingerprint to log on to the card before the finger print capability becomes locked. The fingerprint retry limit is different than the passphrase retry limit, so it may be possible to log on using a passphrase
Datakey CIP User’s User’s Guide
Enrollment
if the fingerprint retry limit is reached (but only if Logon Mode = Fingerprint -OR- Passphrase).
No Reenrollment Allowed : Specifies if it is possible to go through the fingerprint enrollment process on a smart card more than once. Enabling
this option means that, following the initial enrollment, no one is allowed to change fingerprint credentials unless the card is reinitialized.
No “Retry Limit” Change on Reenrollment Reenrollment : (This option is not available if No Reenrollment Allowed is is enabled.) Specifies if the Bad Fingerprint Logon Retry Limit option option can be changed if someone has previously enrolled to the smart card.
No “Logon Mode” Change on Reenrollment : (This option is not available if No Reenrollment Allowed is is enabled.) Specifies if the Logon Mode option can be changed if someone has previously enrolled to the smart card. Keep Enrollment When Smart Card Initialized : Specifies if the fingerfinger print(s) enrolled on the smart card will be preserved if the smart card is re-
initialized. 6. After selecting the fingerprints you want enrolled and the desired fingerprint options, click OK . A dialog box similar to the following appears:
Follow the instructions on the screen to enroll each finger you selected in the previous dialog box. A green dot highlights the finger currently being enrolled. Pay close attention to the green dot so you don't accidentally use the wrong finger.
Datakey CIP User’s User’s Guide
83
Enrollment
For each fingerprint, you will press your finger on the biometric card reader four times. The first three times are to get a good measure of your fingerprint, and the fourth time is to verify that the first three worked correctly. correctly. The enrollment process goes very quickly. After pressing your finger on the reader the first time, the following dialog box appears:
7.
Follow the instructions in the dialog box. As you proceed, the next instruction in the dialog box will be highlighted. After placing your finger three times, the following dialog box appears:
84
Datakey CIP User’s User’s Guide
Enrollment
8.
Place your finger for the last time. The sequence is repeated for each additional fingerprint that must be enrolled. When all fingerprints have been successfully collected, the following dialog box will appear while the fingerprint data is written to your smart card:
Datakey CIP User’s User’s Guide
85
Enrollment
After your fingerprints are enrolled on the smart card, the following followi ng dialog box appears:
9.
Click OK .
Your fingerprint(s) are now enrolled on the smart card. The next time you log on to the smart card you will be prompted for your fingerprint(s) instead of the pass phrase.
Troubleshooting enrollment errors The following errors may occur while enrolling your fingerprint:
Finger not centered: centered: While enrolling, you may be prompted to move your fingerprint. The dialog box looks similar to the following:
In this case, move your finger up a little and try again.
86
Datakey CIP User’s User’s Guide
Enrollment
bee too dry or too wet Finger too wet or too dry: dry: Sometimes your finger may b for the biometrics card reader to get a good reading:
If your fingerprint is too dry, either breath on your fingertip or wipe it on your temple and try again. If your fingerprint is too wet, wipe it on a dry cloth and try again.
Card reader behaves erratically: erratically: If the biometrics card reader is acting erratically (if the reader light is constantly flickering or it displays messages out of context), try unplugging and reconnecting the reader and then restarting your computer. Sometimes an electric static buildup occurs and the reader simply needs to be reset.
Datakey CIP User’s User’s Guide
87
Login
Login To log on to the smart card using your fingerprint, first make sure you have enrolled your fingerprint properly. properly. You can verify your fingerprint is enrolled by checking in the Flags section in the right pane of CIP Utilities.
Verify fingerprint enrollment
IMPORTANT! IMPORT ANT! You can only log on with your fingerprint if you are using an enrolled Datakey smart card in a Precise Biometrics Smart Card Reader.. Reader
Logging on using one fingerprint 1.
Right-click the appropriate biometric card reader.
2.
Select Login. The following dialog box appears:
88
Datakey CIP User’s User’s Guide
Login
3.
Put the appropriate fingertip on the card reader, then follow the instructions on the screen.
Logging on with multiple fingerprints 1.
Right-click the appropriate biometric card reader.
2.
Select Login. A dialog box similar to the following appears:
Note: The dialog box above shows that four fingerprints are enrolled on the smart card, with the right index finger currently selected.
Datakey CIP User’s User’s Guide
89
Login
3.
If the correct finger is selected, press your fingerprint on the reader and follow instructions. Otherwise, use the mouse to click on the fingerprint you want, and then press your fingerprint on the reader.
Completing the login process After the biometric card reader reads your fingerprint, the fingerprint is sent to the smart card for authentication matching. matching. A dialog box similar to the following appears:
Note: You can lift your finger at this point, because the fingerprint has already been read.
90
Datakey CIP User’s User’s Guide
Login
If the authentication succeeds, you'll be logged onto the smart card and the following dialog box appears:
If the authentication fails the following dialog box appears:
Datakey CIP User’s User’s Guide
91
Login
Troubleshooting The following are solutions to some of the most common problems that occur when logging on using a fingerprint:
If your fingerprint isn't placed in the center of the fingerprint reader, a dialog box similar to the following appears:
Simply move your finger and try again.
If your fingerprint is too wet or too dry for the t he biometric card reader to get a good reading, a dialog box similar to the following appears:
If your fingerprint is too dry, either breath on your fingertip or wipe it on your temple and try again. If your fingerprint is too wet, wipe it on a dry cloth and try again.
92
Datakey CIP User’s User’s Guide
Chapter 8
Datakey Da takey CIP CIP Desk Deskttop
Datakey CIP Desktop is a suite of complementary applications and utilities that work in concert with Datakey CIP client software. Datakey CIP Desktop makes your personal Datakey token more flexible and powerful for everyday use. The individual applications and utilities that comprise Datakey CIP Desktop include:
SmartMonitor
SmartLogon SmartNotes
Passphrase Utility
Auto Cert Registration Utility
CIP Utilities
The Datakey CIP Desktop suite of applications and utilities is an optional feature of Datakey CIP. CIP. The applications and utilities are described in detail in the Datakey CIP Desktop User Guide. For convenience, a brief description of each of the CIP Desktop components is provided here.
SmartMonitor SmartMonitor provides an easy method for launching and controlling your Datakey CIP Desktop components. The CIP Desktop installation process places a SmartMonitor icon into your computer’s system tray. tray. When active, you can left-click this icon to use the SmartLogon Auto Fill feature, or you can right-click the icon to quickly access CIP Utilities, the SmartLogon application, the SmartNotes application, or the Passphrase utility.
Datakey CIP User’s User’s Guide
93
SmartLogon
When active, the SmartMonitor icon will appear in your computer’s system tray. The SmartMonitor icon looks similar to a small computer chip.
SmartMonitor
SmartLogon SmartLogon enables you to store user name and/or password entries on your Datakey card.with Theeach program and remembers application W eb site smart associated entry.recognizes This simplifies the logon the process becauseoryou no longer need to remember which unique logon combination applies to which application or Web site—SmartLogon automatically fills in the correct user name and/or password for you. For example, you might have unique user name/password entries for:
Your bank’s Web site
Your favorite airline Web site
Your email service
Your network applications
Your desktop applications A Microsoft Word file that requires password authentication Other Web Web sites and applications that require a unique user name and/or password
Using SmartLogon you only need to remember one password—your smart card password—to access any of these applications or Web Web sites. Your user names and passwords are secure, and you can access your favorite applications and Web Web sites worry-free.
94
Datakey CIP User’s User’s Guide
SmartNotes
SmartNotes SmartNotes enables you to securely store personal notes and data on your Datakey token. With SmartNotes your token becomes a portable electronic n notebook, otebook, allowing you to store account information, favorite URLs, personal reminder notes, and other often-used data. And this information is safe, protected by the passphrase needed to activate the token.
Passphrase Utility The Passphrase Utility allows you to update and change the passphrase that protects and activates your token. You can also use this utility to issue unblocking codes— passphrases that unlock a token should it become blocked by too many incorrect log-in attempts. Unblocking codes are available on on Datakey Model 330U tokens. Finally, the Passphrase Utility can be used to initiate the Identity PIN on a Datakey Model 330i Identrus token and to change both the Identity PIN and the Utility PIN on an Identrus token.
Auto Cert Registration Registration Utility The Auto Cert Registration Utility automatically registers digital credentials contained on a Datakey token with Microsoft Windows and all desktop applications. This provides a quick and easy deployment of your personal digital credentials, enabling instant and transparent use of all Windows applications that require digital credentials. The Auto Cert Registration Utility does does not need to be started. It runs automatically, requiring no user intervention. intervention. The utility checks the token for unregistered credentials each time the computer is started and each time a new token is inserted into the token reader. reader. If unregistered credentials are discovered on the token, the utility automatically registers the credentials with Windows and any other application that requires the use of digital credentials. It does this by placing copies of any certificates contained on your token into the t he Windows certificate store.
Datakey CIP User’s User’s Guide
95
CIP Utili Utili ties
CIP Utilities The Datakey CIP Utilities is an intuitive, easy-to-use program that is used to view and manage Datakey tokens and the objects contained on the tokens. The program reports and reader and can be for base-level istratorstoken can configure thestatus functionality andused features available diagnostics. for enterpriseAdmindeployment through an administrative wizard included with CIP Utilities. Although it is treated as a Datakey CIP Desktop component, the CIP Utilities program is originally provided with your Datakey CIP software. See Chapter 5 of this guide for details about the CIP Utilities.
96
Datakey CIP User’s User’s Guide
A Ap p p en d i x A
Modif od ifyi ying ng PIN Time im eout ou t and and Single Sing le Sign-O Sign-On n Values This appendix describes how to modify the PIN timeout and the Single Sign-On (SSO) features supported by Datakey CIP. CIP. IMPORTANT! IMPORT ANT! Only experienced administrators should attempt to modify the PIN timeout and SSO values.
PIN timeouts The Datakey CIP PIN timeout policy controls the token timeout behavior. It determines how long the token can remain idle before it times out, and it controls what happens when the timeout limit is reached. reached. The PIN timeout feature enables Datakey CIP to control the timeout rules and actions rather than allowing individual applications to control their timeout behavior.
Default PIN timeout values The Datakey CIP PIN timeout policy is controlled by three specific DWORD values within the Windows Windows system registry. registry. When Datakey CIP is initially installed the DWORD values do not exist, so the system registry simply assumes the data values are zero. The effect is that the PIN timeout is ignored. Therefore, by default, each application requiring access to a token must initially log on to the token, but then remains logged on until it logs off on its own accord.
Datakey CIP User’s User’s Guide
97
PIN timeouts
Creating the DWORD values You can create the DWORD values manually using the Windows Registry Editor, but an easier and safer method is to use the CIP Utilities to create the values. To create the DWORD values using the CIP Utilities: 1.
From within CIP Utilities, right-click the reader containing the desired token, then select Change Inactivity Timer .
2.
Select the desired timeout option. The values on this screen define the default DWORD values. See “Changing the Inactivity Inactivity Timer” Timer” on page 60 60 for for detailed information about the options.
3.
Click OK . This generates the three registry DWORD values. The DWORD values are located in the following directory: HKEY_LOCAL_MACHINE\Software\Datakey\Cryptoki\1.0 HKEY_LOCAL_MACHINE\Softwar e\Datakey\Cryptoki\1.0
Modifying the PIN timeout policy To modify the PIN timeout policy you must modify the appropriate DWORD values within the system registry. registry. This can be done using either the Datakey CIP CIP Quality Agent or by manually modifying the registry using the Windows Registry Editor (regedit )).. IMPORTANT! IMPORT ANT! Only experienced administrators should attempt to modify the system registry. registry. Errors in your system registry registry may cause your com puter to function improperly. improperly. To modify the PIN timeout policy using the Windows Registry Editor:
98
1.
Choose Start -> Run.
2.
Type regedit and and then click OK .
Datakey CIP User’s User’s Guide
PIN timeou ts
The Registry Editor appears: appears:
3.
HKEY_LOCAL_MACHINE\SOFTWARE\Datakey\Cryptoki\1.0 ARE\Datakey\Cryptoki\1.0 Navigate to the HKEY_LOCAL_MACHINE\SOFTW directory.
The DWORD values are listed in the right pane. The three that affect the PIN timeout policy are:
4.
AccessPolicy
ResetPolicy
TimePeriod
To modify a value, double-click the value in the right pane. For example, if you double-click AccessPolicy the following dialog box appears:
Use the following tables to guide you when modifying any of the three DWORD values.
Datakey CIP User’s User’s Guide
99
PIN timeouts
AccessPolicy DWORD The AccessPolicy DWORD controls the PIN timeout behavior.
Value data
Short description
0
No PIN Cache
Long description Each application is required to supply a PIN to use private objects on the token. Private objects are then then available until the application logs off. The Inactivity Timer is ignored. The Single Sign-On feature (SSO) is unavailable.
1
PIN Cache Active/No Inactivity Timer
One application is required to supply a PIN in order to use private objects on the token. Private objects are then available for use by all applications. The Inactivity Timer is ignored and access is permitted until the computer is rebooted or the token is removed. The Single Sign-On feature is available.
2
PIN Cache and Inactivity Timer Active
One application is required to supply a PIN in order to use private objects on the token. Private objects are then available for use by all applications. When the Inactivity Timer expires, the cached PIN is erased and all applications are logged off. The Single Sign-On feature is available.
100
4
PIN Cache Timeout on Screen Saver Active
The Inactivity Timer expires only when the Windows screen saver becomes active. The cached PIN is erased and all applications are logged off.
6
P IN CaSaver che Tim eout or Screen Active
The Inactivity according to the TimePeriod value orTimer whenexpires the Windows screen saver becomes active. active. The cache cached d PIN is erased an and d all applications are logged off.
Datakey CIP User’s User’s Guide
PIN timeou ts
ResetPolicy DWORD The ResetPolicy DWORD determines what activities will reset the PIN timer.
Value data
Short description
Long description
0
No Reset of PIN Cache/ Timeout
Inactivity timer period is never restarted. The use of private objects will will time out upon expiration of the inactivity timer period, and the PIN will need to be supplied to re-enable access to private objects.
1
PIN Cache/Timeout Based on Private Token Activity
Inactivity timer period is restarted by any signing/ decryption operation performed by CIP.
2
PIN Cache/Timeout Based on General Private Activity
Inactivity timer period restarted by any CIP activity that requires a PIN to access or operate. Activities include cryptographic operations that use, read, write, create, or change private keys or objects, regardless of whether the particular object is resident on a token, in PC memory, or some combination of both.
4
PIN Cache/Timeout Based on General Token Activity
Inactivity timer period is restarted when CIP has any exchanges with the token for any type of access.
8
PIN Cache/Timeout Based on General Library Activity
Inactivity timer period is restarted by calls of any type to the Cryptoki middleware.
16
Timeout Reset on Mouse/Keyboard Activity
Keyboard presses or mouse movement or clicks restarts the inactivity timer period.
32
PIN C Caache/Timeout Auto Reset
Inactivity timer period is reset before it expires, so as to allow access to private objects at all times. Access is permitted until the computer is rebooted or the token is removed.
Datakey CIP User’s User’s Guide
101
Single Sign-On (SSO)
TimePeriod DWORD The TimePeriod DWORD specifies the length of the timeout period (in seconds). When the inactivity timer expires, the Access policy (based on the registry DWORD AccessPolicy), will be enforced. During the period that the inactivity timer has not expired, individual applications may access the token as allowed by the AccessPolicy AccessP olicy..
Single Sign-On (SSO) The SSO feature gives you the option to t o log on to the token once for all applications. Once you are logged in, all applications requiring info information rmation on the token have access to the token. This means you don’t need to log on to the token each time you use a different application or each time an authentication request is issued by an application. You remain logged in until either a token event or a time event logs you off the token.
Configuring SSO SSO is controlled by the system registry. To enable or disable the SSO policy you must modify the AccessPolicy DWORD value within the registry regis try.. This can be done using either the Datakey CIP Utilities or by manually modifying the value using the Windows Registry Editor (regedit ). ). To enable or disable the SSO policy using regedit: 1.
Follow the instructions beginning on page on page 98 98 for for accessing the AccessPolicy
DWORD value. 2. Set the AccessPolicy value to one of the following:
To disable SSO: AccessPolicy = 0
To enable SSO: AccessPolicy=1 or AccessPolicy=2
SSO is controlled by the same timeouts as Datakey CIP via the ResetPolicy DWORD value.
102
Datakey CIP User’s User’s Guide
Single Sig n-On (SSO (SSO))
Trusted Application Policy In order to use SSO an application must be considered a trusted application. A trusted application will have a SHA-1 hash of its .exe file stored in the registry registry.. The hash value is stored in a key located in HKEY_LOCAL_MACHINE\Software\Datakey\Cryptoki\1.0\TrustedApp. When needed, Datakey CIP will read the application’s .exe file and generate generate a SHA-1 hash value. value. A search is then made for that hash in the list of trusted application hashes contained in the registry. registry. If a match is detected, the current registry settings for TimePeriod , AccessPolicy, and ResetPolicy will be used for that application. application. If no match is detected, all PIN caching and SSO capabilities for that application are disabled.
Datakey CIP User’s User’s Guide
103
Single Sign-On (SSO)
104
Datakey CIP User’s User’s Guide
A Ap p p en d i x B
Common ommo n Acce Acc ess Card Differences if ferences Since a Common Access Card (CAC) is a read only smart card, a number of features and functions in Datakey CIP are not allowed when interfacing to a CAC. Datakey CIP automatically detects when a CAC is present and will prevent these features and functions from being used. The features and functions of Datakey CIP that do not apply to CAC users are identified in the table on page 106. 106.
What is a CAC? A CAC is a tool that is ideally suited for use with applications that require the secure storage of digital IDs and credentials. CACs act as secure “digital carriers”—vehicles capable of storing one or more digital representations of a particular person. A sample CAC is illustrated below:
Datakey CIP User’s User’s Guide
105
Functional d ifference ifferences s
Benefits of CACs CACs provide a number of benefits:
Security: Your Your private information never leaves the CAC, and is protected by two-factor security—something that is owned (the CAC) and something that is known (the CAC PIN). Portability: Your Your digital credentials can go wherever you go. Flexibility: A CAC can be used to store a variety of information, including certificates, public keys, private key, user names and passwords, etc. Simplicity: Your many passwords can be stored on a single CAC. In addition, you are less likely to lose a CAC than forget a password. Ease of use: A CAC is simply inserted into a CAC reader to activate an application; no complex codes need be read or entered. Further, one CAC can be used for several applications.
Functional differences If you are a CAC user, a few of the features and functions of Datakey CIP do not apply to you. The following table shows the features features and functions that do not apply to CAC users.
Datakey CI CIP Fe Feature
Fun Functions th that do do no not a ap pply to to C CA AC u ussers
Datakey CIP ISign (Chapter 3)
None of the functions apply
Datakey CIP Thin (Chapter 4)
None of the functions apply
Datakey CIP Utilities Token Reader Tasks (Chapter 5)
Datakey CIP Utilities CertificateTasks (Chapter 5)
106
Datakey CIP User’s User’s Guide
Changing the Token Label Initializing a Token Importing a PKCS#12 Files Import Certificate From System Delete From Token Set to Default Container Edit Object Update Token Cont’d
Functional di fference fferences s
Datakey CI CIP Fe Feature
Functions th that do do no not a ap pply to to C CA AC u ussers
Datakey CIP Utilities Public Key and Private Key
Delete From Token Set to Default Container
Tasks (Chapter 5)
Edit Object Update Token
Datakey CIP Utilities Data Object Tasks (Chapter 5)
None of the functions functions apply
Unblocking a Token (Chapter 6)
None of the functions apply
Using Biometric Smart Cards and Card Readers
None of the functions functions apply
(Chapter 7) Datakey CIP Desktop (Chapter 8)
Datakey CIP User’s User’s Guide
SmartLogon SmartNotes Passphrase Utility
107
Functional d ifference ifferences s
108
Datakey CIP User’s User’s Guide
A Ap p p en d i x C
CAPI CA PI and PKCS PKCS#1 #11 1 Functions This appendix provides a list of the t he CAPI 2.0 and the PKCS#11 functions supported by Datakey CIP. CIP.
CAPI functions All of the required functions for CAPI 2.0, and some of the optional functions, are supported. Unsupported functions are labeled as such. The functions with asterisks are optional and may be supported in the future. All nonsupported functions will return valid error codes.
Type
Function
Hash and Digital Signature Functions
CryptCreateHash CryptDestroyHash CryptDuplicateHash (currently not implemented, but CryptDuplicateHash returns the correct error code) CryptGetHashParam CryptHashData CryptHashSessionKey CryptSetHashParam CryptSignHash CryptVerifySignature
Datakey CIP User’s User’s Guide
Cont’d
109
CAPII function s CAP
Type
Function
Key Generation and Exchange F Fu unctions
CryptAcquireCertificatePrivateKey* CryptDeriveKey CryptDestroyKey CryptDuplicateKey (currently not implemented, but CryptDuplicateKey returns the correct error code) CryptExportKey CryptGenKey CryptGenRandom CryptGetKeyParam CryptGetUserKey CryptImportKey CryptSetKeyParam
Service Provider Functions
CryptAcquireContext CryptContextAddRef* CryptEnumProviders* CryptEnumProviderTypes* CryptGetDefaultProvider* CryptGetProvParam CryptInstallDefaultContext* CryptReleaseContext CryptSetProvider* (CryptSetProviderEx (CryptSetProviderEx*) *) CryptSetProvParam* CryptUninstallDefaultContext*
Data Encryption/Decryption Encryption/Decryption Functions
CryptDecrypt CryptEncrypt CryptProtectData* CryptUnprotectData*
110
Datakey CIP User’s User’s Guide
(Cont’d)
PKCS#1 PKCS #11 1 fun ction s
Type
Function
CryptEncodeObject / CryptCryptEncodeObject DecodeObject Functions
CryptDecodeObject* CryptDecodeObjectEx* CryptEncodeObject* CryptEncodeObjectEx*
PKCS#11 functions Supported functions are divided by the version of PKCS#11. For the specification of the PKCS#11 cryptographic token standard, refer to http://www.rsalabs.com.
PKCS#11 Version 1 – DKCK132.DLL Type
Function
General Purpose Functions
C_Initialize C_GetInfo
Slot and Token Management Functions
C_GetSlotList C_GetSlotInfo C_GetTokenInfo C_GetMechanismList C_GetMechanismInfo C_InitToken C_InitPIN C_SetPin
Session Management Functions
C_OpenSession C_CloseSession C_CloseAllSessions
Datakey CIP User’s User’s Guide
(Cont’d)
111 11 1
PKCS#1 PKCS #11 1 func tion s
Type
Function C_GetSessionInfo C_Login C_Logout
Object Management Functions
C_CreateObject C_CopyObject C_DestroyObject C_GetObjectSize C_GetAttributeValue C_SetAttributeValue C_FindObjectsInit C_FindObjects
Encryption and Decryption Functions
EncryptInit Encrypt EncryptUpdate EncryptFinal DecryptInit Decrypt DecryptUpdate DecryptFinal
Message Digesting Functions
DigestInit Digest DigestUpdate DigestFinal
Signature and Verification Functions
SignInit Sign SignUpdate SignFinal
112
Datakey CIP User’s User’s Guide
(Cont’d)
PKCS#1 PKCS #11 1 fun ction s
Type
Function SignRecoverInit SignRecover VerifyInit Verify VerifyUpdate VerifyFinal VerifyRecoverInit VerifyRecover
Key Management Functions
C_GenerateKey C_GenerateKeyPair C_WrapKey C_UnwrapKey C_DeriveKey
Random Number Generation Fu F unctions
C_SeedRandom C_GenerateRandom
Parallel Function Management Fu Functions
C_GetFunctionStatus
C_CancelFunction Callback Function
Datakey CIP User’s User’s Guide
Notify
113
PKCS#1 PKCS #11 1 func tion s
PKCS#11 Version 2.0 – DKCK232.DLL
Type
Function
General FunctionPurpose s
Initialize Finalize GetInfo GetFunctionList
Slot and Token Management Functions
GetSlotList GetSlotInfo GetTokenInfo GetMechanismList GetMechanismInfo InitToken InitPIN SetPin
Session Management Functions
C_OpenSession C_CloseSession C_CloseAllSessions C_GetSessionInfo C_GetOperationState C_SetOperationState C_Login C_Logout
Object Management Functions
C_CreateObject C_CopyObject C_DestroyObject C_GetObjectSize
114
Datakey CIP User’s User’s Guide
Cont’d
PKCS#1 PKCS #11 1 fun ction s
Type
Function C_GetAttributeValue C_SetAttributeValue C_FindObjectsInit C_FindObjects C_FindObjectsFinal
Encryption Functions
EncryptInit Encrypt EncryptUpdate EncryptFinal
Decryption Functions
DecryptInit Decrypt DecryptUpdate DecryptFinal
Message Digesting Functions
DigestInit Digest DigestUpdate DigestKey DigestFinal
Signing and MACing Functions
SignInit Sign SignUpdate SignFinal SignRecoverInit SignRecover
Verifying Signatures and MACs Functions
VerifyInit Verify
Datakey CIP User’s User’s Guide
Cont’d
115
PKCS#1 PKCS #11 1 func tion s
Type
Function VerifyUpdate
VerifyFinal VerifyRecoverInit VerifyRecover Dual-Function Crypt rypto ogra graphic phic Fu Fun nction tionss
Dig DigestE estEn ncr cry yptU ptUpda pdate DecryptDigestUpdate SignEncryptUpdate DecryptVerifyUpdate
Key Management Functions
C_GenerateKey C_GenerateKeyPair C_WrapKey C_UnwrapKey C_DeriveKey
Random Number Generation Functions
C_SeedRandom C_GenerateRandom
Parallel Function Management Fu Functions
C_GetFunctionStatus C_CancelFunction
Callback Functions
Token insertion callbacks Token removal callbacks Parallel function completion callbacks Serial function surrender callbacks
116
Datakey CIP User’s User’s Guide
PKCS#1 PKCS #11 1 fun ction s
PKCS#11 Version 2.01 – DKCK201.DLL
Type
Function
General Purpose Functions
C_Initialize C_Finalize C_GetInfo C_GetFunctionList
Slot and Token Management Functions
C_GetSlotList C_GetSlotInfo C_GetTokenInfo C_WaitForSlotEvent C_GetMechanismList C_GetMechanismInfo C_InitToken C_InitPIN C_SetPin
Session Management Functions
C_OpenSession C_CloseSession C_CloseAllSessions C_GetSessionInfo C_GetOperationState C_SetOperationState C_Login C_Logout
Object Management Functions
C_CreateObject C_CopyObject C_DestroyObject C_GetObjectSize
Datakey CIP User’s User’s Guide
Cont’d
117
PKCS#1 PKCS #11 1 func tion s
Type
Function C_GetAttributeValue C_SetAttributeValue C_FindObjectsInit C_FindObjects C_FindObjectsFinal
Encryption Functions
C_EncryptInit C_Encrypt C_EncryptUpdate C_EncryptFinal
Decryption Functions
C_DecryptInit C_Decrypt C_DecryptUpdate C_DecryptFinal
Message Digesting Functions
C_DigestInit C_Digest C_DigestUpdate C_DigestKey C_DigestFinal
Signing and MACing Functions
C_SignInit C_Sign C_SignUpdate C_SignFinal C_SignRecoverInit C_SignRecover
Verifying Signatures and MACs Functions
C_VerifyInit C_Verify
118
Datakey CIP User’s User’s Guide
Cont’d
PKCS#1 PKCS #11 1 fun ction s
Type
Function C_VerifyUpdate C_VerifyFinal C_VerifyRecoverInit C_VerifyRecover
Dual-Function Cryp ryptog togra raph phic ic Funct unctiions ons
C_Di Dig gest stEn Encr cry yptU ptUpda pdate C_DecryptDigestUpdate C_SignEncryptUpdate C_DecryptVerifyUpdate
Key Management Functions
C_GenerateKey C_GenerateKeyPair C_WrapKey C_UnwrapKey C_DeriveKey
Random Number Generation Fu F unctions
C_SeedRandom C_GenerateRandom
Parallel Function Management Fu Functions
C_GetFunctionStatus C_CancelFunction
Callback Functions
Datakey CIP User’s User’s Guide
Surrender callbacks Vendor-defined callbacks
119
PKCS#1 PKCS #11 1 func tion s
120
Datakey CIP User’s User’s Guide
Index
I
N D E X
Numerics 10SR reader 35 330u token 75
A AccessPolicy DWORD DWORD value 100 Administrator 56 Auto Cert Registration Registration Utility 55, 95
B Background color 50 Background Biometrics 79
C CAC functional functio nal differences 106 what is 105 CAC card 65 CAPI functions functions 97, 109 Card readers 8 Certificate attributes 68 default container 67, 70 deleting 66 exporting 67 moving 66 overview 4 Certificate Authority (CA) 4, 23 Certificate store 66 Change user/install command 35
CIP 1 installing 9 uninstalling uninstallin g 18 CIP Desktop 12, 76 CIP Utilities 47, 96 background backgr ound color 50 basics 48 configuration 56 configuring 53 enab enable le log 55 exit 74 font settings settings 51 icons 52 left pane 49 log 55 right pane pane 49 starting 47 toolbar buttons 51 tro trou ublesh lesho ooting 73 Citrix 9, 34, 35 Color 50 Common prob problems 73 Container 67 CryptoAPI 3 , 70 Cryptoki Trace settings 51, 54
D Data object 72 deleting 72 exporting 72 Datakey CIP Desk top top 47 Datakey CIP Thin 33 Default container 67, 70 Delete On Remo val option 55 Detailed display 53 Digital ID 4
Datakey CIP User’s User’s Guide
121
DKAdmin.dat file 57 DKGINASR 21 DKLogger 54 DWORD value 97 AccessPolicy AccessPo licy 100 ResetPolicy 101 TimePeriod 102
E Enable access access to the Configuration Dialog option 57 Entrust 9, 11, 19
F Fast user switching 45 Fat client 33 Feedback Agent Agent 51 FIPS 140-2 140-2 3 Fonts 51
G
deleting 69 exporting 69 private 4, 23, 66, 69 public 4, 23, 69 Key sharing 1 Keyboard users 49
L Library version 64 Log settings 54 Logging on/off 58
M Match-on-c ard 79 Match-on-card MetaFramee 35 MetaFram Microsoft 19 Microsoft IIS 39
N Netscape 19 NFuse 37
GINA 21
H Help system 20, 73
Object name 55 Online Help 20, 73
I
P
Icons 52 Identrus Identrus token 27, 77 IIS 39 iKey 2 Inactivity timer 60 Initializing a token 61 Installation 9
Passphrase changing 59 Passphrase complexity rules 11, 25 Passphrase Utility 95 PIN pad reader reader 22 PIN timeout 97 PKCS#11 1, 3 functions 111 PKCS#12 file 63 PKI 4, 23 Private key 4, 23, 66, 69
K Key attributes 70
122
O
Datakey CIP User’s User’s Guide
Public key 4, 23, 69, 70 Publishing Citrix applications 41
Q Quality Feedback Agent 51, 56
R Reader 2, 8 changing 19 enabling serial reader reader 55 installing (adding) 19 uninstalling 19 readers 8 Refresh 53 Registration 20 Registry editor 98 Requirements 7 ResetPolicy DWORD value 101 Right-clickk m Right-clic meenu 49 Roaming 33, 34, 42, 45
S Secure Gateway 40 SHA-1 103 Single sign-on 97 SmartLogon SmartLogo n 12 what is 94 SmartMonitor 47, 93 SmartN Smar tNot otes es 12, 95 SSO 97, 102 Status bar 53
testing 63 updating 68, 71 what is 2 Token server server 54 Toolbar buttons buttons 51 Troubleshooting Troubleshoo ting 73 Trusted application application 103
U Unblocking 75
V Version 64
W Web Interface Interface 37 Windows 2000 2000 logon 67, 70 Windows certificate certificate store store 66 Windows XP machine machine 45
X X.509 67
Support 20 System requirements 7
T Terminal Server Server 42 Testing a token token 63 Thin client 33 Timeout 97 TimePeriod DWORD valu valuee 102 Token 2, 8 features 2 initializing 17, 61 label 60 logging on/off 58
Datakey CIP User’s User’s Guide
123
SafeNet Inc . SafeNet 2051 Killebrew Drive Suite 620 Bloomington, MN 55425 Phone: (952) 890-6850 Toll-free: 1-888-328-2539 Fax: (952) 890-2726
124
Datakey CIP User’s User’s Guide
